Up-front credit to my colleagues Filipe Almeida and Michal Zalewski who led the way in E4X security research.
If you haven't heard of E4X, or don't know why Firefox's E4X support should scare you, please consider reading this article.
I've just released details for a recently fixed Firefox XML injection bug. It's one of those bugs that is in search of a good exploitation opportunity. Currently, the known impact is negligible, but I'm throwing it out in case anyone has better ideas than I do. It feels like the interaction of this bug and E4X should be fruitful but perhaps not: