Poorly written XML parsers (and I've written my fair share) are always open to DOS attacks; XML has no upper bound on element names, attribute value length, stack depth ...
Same is mostly true of JSON parsers as well of course.
If you let potentially hostile users feed arbitrary data into any of these, even a totally non-buggy, perfectly conformant parser is wide-open to being abused via DOS.
Well, they're both written in the same language. That ought to be a Big Fat Steaming Clue (TM).
Someday, I'd like to see a nice library written in something like O'Caml or Haskell exposed as a C interface that exists solely to be a library. I know it's technically possible today, but it doesn't seem to have penetrated into the public consciousness that even a C library doesn't actually have to be written in C anymore. (It may not be slick yet, but only because people aren't doing it, chicken and egg. There's no fundamental stopper.) I sure as hell wouldn't write a "C" library in C if I had anything remotely resembling a choice.
(Of course, that only solves string bobbles, not the "infinite memory consumption required" problem, but even then those other languages can have somewhat cleaner, clever solutions than in C.)
The face that no such libraries exist might be interpreted as a Big Fat Steaming Clue (trademark used without license).
Language geeks need to start thinking seriously about practical infrastructure issues before any of this happens. The existing infrastructure people aren't going to start using Haskell simply because you tell them too.
http://en.wikipedia.org/wiki/Billion_laughs
Same is mostly true of JSON parsers as well of course.
If you let potentially hostile users feed arbitrary data into any of these, even a totally non-buggy, perfectly conformant parser is wide-open to being abused via DOS.