Security review for XML processing

We've known of security vulnerabilities dating from the 4Suite days, many of which are inherited from expat. We've closed some, but there are indications of more, including [new ones discovered in our XSLT implementation](https://www.corelan.be/index.php/2012/05/25/hitb2012ams-day-2-attacking-xml-processing/). This ticket is a general placeholder for sound security review of amara.
