I ran into this issue of atom exhaustion vulnerability recently. In my case, this would have been a major issue because I was looking to parse SAML assertions received via a publicly accessible endpoint.
I ended up going a similar route as @Adzz and others by using saxy and its SimpleForm output.
To help avoid this repeated pain for others, I’ve created the following library, which avoids this atom exhaustion problem and includes the ability to verify XML signatures.
I welcome any community contributions or feedback 
.
