Various reasons impose some limitations on xmlbase which are described below.
xmlbase is written in Perl, and although Perl scripts are known for speedy execution, this limits xmlbase's usefulness for large databases notably. You shouldn't try to manage databases with more than some hundred records with xmlbase unless you have a really fast machine. However, xmlbase scales reasonably well with growing databases, and the maximum amount of records largely depends on the complexity of the record structure and your arbitary demands on the system's reaction speed.
xmlbase's XML parser only supports a subset of valid XML. You will be able to feed XML files created and maintained by xmlbase into any other program accepting valid (or well-formed) XML, but you probably cannot successfully make xmlbase use an arbitary XML file produced by some other program.
Processing instructions (PIs) are supported only (that is, maintained between rewrites of the file and ignored otherwise) at the very beginning and the very end of the file. SGML comments are not supported at all.
As the XML prolog declaration is ignored, the the only charset used and supported by xmlbase is ISO-8859-1.
Empty-element tags (not to be confused with a start-tag immediately followed by an end tag) are not supported.
Nested tags must have different names; it is not possible to nest a tag inside another tag of the same name.
The tag and attribute names content and parent are reserved and cannot be used as they have a special meaning in xmlbase. permission cannot be used as an attribute name of a second-level tag or as a third-level tag name due to the same reasons.
Apart from that, xmlbase's XML parser is fairly error tolerant to things like missing end-tags and missing quotes around attribute values.
xmlbase's authentication mechanisms are not designed to protect top-secret data, but they are reasonably secure in most other cases. xmlbase employs a simple user/password authentication scheme; once a user has been authenticated, he or she is recognized by user name and IP address on subsequent requests until a session times out or the user expressly logs out.
This IP-based recognition method may impose a security leak if an IP address is likely to be used by more than one machine while a valid user is authenticated with xmlbase. This happens when the user connects to the internet sharing a proxy server with other users. However, provided an attacker had access to a machine using the same IP address, he or she would still need to know the user name to exploit this weakness.