I recently upgraded to Word 2013. When I opened a few files that had been created in Word 2007, I noticed that under "Inspect Document" it said custom XML data was found. I saved the files under new names and let Word remove the custom XML, but I'm a little
concerned about how it got there in the first place as I did not (intentionally, at least) add any XML data.
Is the presence of XML data any sort of danger or security risk to anyone who might be sent or open the file? And how could it have gotten in there without me knowing?
---
(Sorry if this sounds paranoid. I had an issue last weekend where Word was throwing a false positive and triggering a security alert on one of my documents. Both a Microsoft support agent and a response from someone on the community assured me it was nothing
to worry about, but it left me a bit jumpy so when I saw the XML warning on multiple documents,I was concerned)
Like the false positive security alert, this is not something to be concerned about.
A little background will help: Documents that are saved in the .docx format actually consist almost entirely of XML (which stands for eXtensible Markup Language). Most of that XML is standardized to mark things like headings and tables.
In the initial release of Word 2007, there was also the ability to include special ("custom") pieces of XML for whatever purpose was desired. That capability wasn't used very much, but when it was used it was usually by add-ins or macros, not by end users.
In 2009 a company named i4i won a
patent lawsuit claiming that Microsoft infringed its patent, and the court required Microsoft to remove the custom XML feature from Word. Further, from that date onward, any version of Word that opened a document in which custom XML was already present
would be required to remove the custom XML from the file.
So the bottom line is that custom XML in a Word document is not a security risk
to anyone. It's just a very expensive headache for Microsoft and for anyone who might write an add-in that would benefit from using the forbidden custom XML.