Apple's XML parsers apparently are not catching this due to the comment trick.

So the security relies on a human catching it. There are many ways to hide text from a human, IE padding it out with whitespace, character encoding tricks, etc.