Version 2.0 of the Open ID specification allows for service discovery via XML. If the Open ID implementation is insecure, this allows harmful XML to be injected.