Comment 2 for bug 1404117

Yeah, that seems to be the suggestion given by OWASP: https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_XML_Injection

"The framework should provide safe libraries for constructing and manipulating XML documents that automatically encode all dynamic data. The framework should disallow any direct access to raw XML. "

Unfortunately HTMLPurifier doesn't really support cleaning XML (I mean, does XML have exactly the same stuff that needs to be cleaned out, as HTML does?).

Another option we could look at would be to add a "Content-Disposition: attachment" header to XML files. Currently we serve XML files without a Content-Disposition header, which tells the browser to display them in the browser window. And even for other file types that are unrecognized, we do "Content-Disposition: inline", which tells it to try to display the file in the browser window and download it if that's not possible. We should really be doing "Content-Disposition:attachment", which would tell the browser to download the file, and NOT display it in the window. This is especially true because the link reads "Download"!