Title
So let me get this straight,
"we tested out some XML frameworks and some of them broke". Good, this is nice to know. Now tell me which ones so I can see if I have a problem. Not telling? The CERN advisory has a very short list but if that is the full extent of what they found then its not much. @Fazal Majid says that expat has a problem - OK, that's interesting to me.
"broke things might run other people's code". True. Do any of these top pieces of software break like that or is this just a statement of general principle? I agree with the principle but not all broken software breaks in the same way.
"here is a list of XML parsing software - we haven't tested most of it but it may all be broken". Or not. I'm having a little trouble with this logic. I want a list of what these guys have tested, not a wikipedia entry on XML.
"We have a piece of software that everyone should be using to test their libraries". OK, now I understand what this article is all about - its an advertisement.
In reality most XML parsing software is regularly tested with broken XML. I do it all the time without even trying. A typo here, a misplaced character there, some broken encoding, whatever. And what happens? I get a message telling me that my XML is broken. Just like it should. Now, if the application using the library is too stupid to realise that something is broken and chugs on regardless then bad things might happen, or if the application lets the library stop the program (very unusual in my experience) then we might have a denial of service attack against the application.
Many applications using XML do so with XML that is completely under control of the software or the local user so there isn't likely to be any direct threat. Its only the applications that process XML from untrusted sources that are at risk.
Maybe not everyone is doomed after all.