[SlowRobotAhead]

They could always drop XML for YAML and get more issues!

I dislike XML and would not chose it for my projects. But... in this case, it does seem like a good idea to require explicitly closed tags. Seems like it could remove 1000 error potentials for every 1 parser error.

[Groxx]

Yeah, an XML parser that allows invalid XML (tags must be closed, per the spec[1]) is pretty clearly a terrible choice for a security-sensitive purpose. Likely it was just oversight / accidental reuse, and it's a somewhat common error, but it's very much an engineering mistake and not an XML flaw.

[1] It's very clearly stated as item 2, in a 2-item list for well-formed-ness of documents: https://www.w3.org/TR/xml/#sec-well-formed