==== Programmatic object building

In most cases, an application can directly create documents from user input
without having to build and parse an XML string. Doing so prevents injection
vulnerabilities as XML document construction libraries and functions will
properly escape and check the type of input values.

Sometimes, the application might need to include the user input in a document
built from a trusted XML string. In that case, the recommended solution is to
parse the trusted string first and then programmatically modify the resulting
document.