When working with untrusted sources/users, HTML/XML attributes could be exploited to inject malicious code in the application.

There's a new option in the schema for storing such values in a safe way (which is now the default for xmlText element in the story object):

      <xs:element name="xmlText" type="tXml" gs:storage="SafeXmlText"/>

        <xs:annotation>

          <xs:documentation>The text of the version as XML.

          ....

Using SafeXmlText storage option the input HTML will be always sanitized preventing scripts or iframes execution, inline javascript and several more common code injection patterns.