Ahh, this may be the difference, sorry. I don't think that it's a reasonable step towards handling XML securely. I _do_ think it's a step towards not exposing people who don't use XML to attacks on their site via XML-parsing code paths.

One of the worst parts of the recent security... situation was that people who didn't even support YAML or XML for their API were still vulnerable. It's these people this helps, not people who actually do use XML.

I totally agree that this isn't useful to people who are actually using XML, except for my comments about quicker releases and fixes by detaching it from Rails.