XML injection and XML parsing-related vulnerabilities aren't always observable from the client-side code – the XML part of the processing chain could be occurring within the server formatting your client-side input.
Following an OWASP XML injection example, the client-side form (assuming, for argument's sake, that it's making a GET request) will create an HTTP request that looks like this:
Username: james
Password: Thew45p!
E-mail: [email protected]
Then, before inserting itself into an XML-document-like-database, the application will build an individual XML node:
<user>
<username>james</username>
<password>Thew45p!</password>
<userid>500</userid>
<mail>[email protected]</mail>
</user>
You can exploit this behavior to do different kinds of injection, including...