Vulnerability in EPiServer.Forms
A flash object we use will only accept xml from a file with a .xml extension.
Is it possible to force a page to respond to a .xml extension instead of .aspx and is there any built in functionality that makes it easier to edit an xml structure?
Yep. Allan wrote an "output format" plugin which can deliver pages as XML, JSON, JPG (seriously), etc.
You pass in your desired format in the querystring argument.
On re-reading, I see you need to have a ".xml" extension -- sorry, I missed that. You'd need to rewrite the URL for this. You could do this at the IIS7 level, or by hooking the UrlRewriter in EPiServer.
Another approach would be to create a simple VirtualPathProvider to do this.