Holy hell this sounds bad. Go is usually quite a robust language and I usually expect good things. This seems very bad. https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/