I’ve written some (small) server controls in C# and have to agree that the overhead using the “Writer” classes is ridiculous. I tried it that way for a couple of days and then totally gave up on it. Not only was it a burden to use, but it was generating more bugs because it was VERY difficult to simply look at the code and know whether or not every StartElement() had a matching EndElement() - much more difficult than looking at actual XML. It’s easy enough looking at the simple example in this post, but pepper that with about 50 elements at various nesting levels and your eyes will start to glaze over very quickly.
The DOM model has its uses, to be sure. One example is program options in the Win32 world; yes, .NET has a vast library of persistence classes, but Win32 doesn’t, and when I wanted to store program options in XML it was pretty easy to wrap existing DOM interfaces such that arbitrary new options could be added with just two extra lines of code (one to load, one to save).
A lot of these classes were written to address specific needs, and people shouldn’t assume that simply because it’s possible to use them in a specific situation means that they have to be used in that situation. No best practices!
And XSS is overrated - how about instead of using these clunky writer classes or remembering to escape every single output string, you just escape the form INPUT, once? How many common scenarios are there where you can escape the output but not the input?