diff --git a/activesupport/CHANGELOG b/activesupport/CHANGELOG
index d977682f5c..a4046061aa 100644
--- a/activesupport/CHANGELOG
+++ b/activesupport/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Demote Hash#to_xml to use XmlSimple#xml_in_string so it can't read files or stdin.  #8453 [candlerb, Jeremy Kemper]
+
 * Backport clean_logger changes to support ruby 1.8.2 [mislav]
 
 * Added proper handling of arrays #8537 [hasmanyjosh]
diff --git a/activesupport/lib/active_support/core_ext/hash/conversions.rb b/activesupport/lib/active_support/core_ext/hash/conversions.rb
index 2c0d894518..929dd45e98 100644
--- a/activesupport/lib/active_support/core_ext/hash/conversions.rb
+++ b/activesupport/lib/active_support/core_ext/hash/conversions.rb
@@ -20,6 +20,27 @@ class Array
   end
 end
 
+# Locked down XmlSimple#xml_in_string
+class XmlSimple
+  # Same as xml_in but doesn't try to smartly shoot itself in the foot.
+  def xml_in_string(string, options = nil)
+    handle_options('in', options)
+
+    @doc = parse(string)
+    result = collapse(@doc.root)
+
+    if @options['keeproot']
+      merge({}, @doc.root.name, result)
+    else
+      result
+    end
+  end
+
+  def self.xml_in_string(string, options = nil)
+    new.xml_in_string(string, options)
+  end
+end
+
 module ActiveSupport #:nodoc:
   module CoreExtensions #:nodoc:
     module Hash #:nodoc:
@@ -135,7 +156,7 @@ module ActiveSupport #:nodoc:
         module ClassMethods
           def from_xml(xml)
             # TODO: Refactor this into something much cleaner that doesn't rely on XmlSimple
-            typecast_xml_value(undasherize_keys(XmlSimple.xml_in(xml,
+            typecast_xml_value(undasherize_keys(XmlSimple.xml_in_string(xml,
               'forcearray'   => false,
               'forcecontent' => true,
               'keeproot'     => true,