I just read the paper and, correct me if I'm wrong, this vulnerability *only* applies to JSON. XML is safe, because it has to be parsed before the data can be extracted. I avoid JSON because I don't like to have eval() statements in my code. This would seem a more obvious solution to the problem than the one proposed.
Chris
