When is it not safe to load an XML file into an XmlDocument object?
Any time the source is untrusted, it turns out:
Tom Hollander: Protecting against XML Entity Expansion attacks
That's one I haven't heard of before, and shows why every input from an untrusted source should be treated with care.
It reminds me of the zip expansion attacks that used to break mail servers 8 or so years ago:
Zip expansion attack. A large uniform file (for example 1 Gbyte of Zeros) is zipped and e-mail. AV or content filtering products attempt to unzip the attachment for checking, but are unable to do so because of lack of disc space. [ecommnet]
The old expanding file trick. What will they think of next?