How to defend against hacking if a user submits XML

I have a feature where users can submit pure XML in a form. When my server gets the response I will validate it against a XML schema then I store it in the database. I never show the XML on a 开发者_开发百科webpage unless it is in a form for editing.

I use the XML to render html forms or text in a webpage and I will encode the text and never show the actual XML in a browser unless its for editing. Am I subject to a lot of hacking? How can I better defend against this?

For example:

<criteria name="Performance" type="textbox">115 Horsepower</criteria>

Above will render either a table cell with the word 115 Horsepower in it or it my render a textbox with the word 115 Horsepower in it.

Think in the direction of some parts of XML missing and some parts repeating twice or more. Take care of those edge cases in your schema.

Here's one example of an attack vector for XML content:

http://en.wikipedia.org/wiki/Billion_laughs