Re: XML meets SQL
The last time I was given XML from a client - ummm, this year - it wasn't even proper XML. Embedded in it were chunks of unescaped invalid HTML. I had to parse it with adhoc regexes.
And then there's JSON, which would be OK if everything consisted of arrays, dicts, floats, and strings; if JSON serializers were all 100% bug-free; and if it didn't have to flow through a pipeline of cloudy REST APIs and database layers that don't know whether to escape it as SQL, JSON, XML, HTML, urlencoded, PHP-serialized, or what have you. This includes gems like WordPress's maybe_unserialize().
Just to be safe, better use a custom text format and base64 it....