The whole thing tops out at about 3 gigabytes of data, which will probably crash your server. (If it doesn't, the attacker can easily add a few more lines to the submitted XML file.)
