Executable code in documents leads to trouble There's a malformed PDF file going around that takes advantage of a buffer overflow in the Adobe Reader v9 software in combination with the Javascript features of PDF. The result is your PC being taken over (more here).

The advice is to disable Javascript, which prevents the attack. (PDF/-J?)

Supporting programmable code in a document file format is a bad idea, in my opinion. As this effectively transforms something fairly static called 'a document' into something very dynamic called 'an application'.

Please note that in this case a software bug (buffer overrun) gets exploited by the embedded, special crafted JavaScript code. Buffer overruns are sadly very common in released software (unchecked buffers), but they would typically only crash your application. By offering a means for anyone to run a script from inside a PDF file, the attacker could do all kinds of interesting stuff to maximize the damage. For instance the JavaScript in this attack checks which browser you run, so it can adapt its behaviour accordingly.

Documents should not contain any code, or they should be treated like applications (and checked for viruses, etc...).

XPS does not have any script support, so it regularly comes up in discussion as an argument against XPS. This is ridiculous. Not having any programmability in your fixed document format is a feature.  ¶ 14:49