XML Injection is a Code Injection variant, which can be used by attackers to include malicious XML block, which is then used by an XML processor.
An attacker may inject XML in the target application in order to change the application’s configuration data or insert malicious content. This happens because user supplied data is used directly to build XML documents. The same vulnerability may also be used to read arbitrary files, such as application source code, passwords and configuration data from the application file system.
Sanitise al user-supplied data for special character that could be used to build XML tags like <, > and <CDATA[[, etc. It is generally recommended to encode user-supplied input with XML entities where this is appropriate.