Web Application Security Guide/XML and internal data escaping