Validate the Input Text

There’s a strong temptation to look at the XML validation capabilities and decide
that they provide all the input security necessary for data transmitted through
XML documents. Unfortunately, as we’ve seen, it’s all too easy for hackers to
exploit plain-text inconsistencies from one character set to another to launch
attacks against systems that are using well-formed and validated XML. It therefore
falls to the developer to create separate validation routines for data coming into
an application through a validated XML document.
The proper approach is to break the problem of verification into a number of
discrete steps. First in order, though last in our examination, are formal validation
of the foundation data definition documents through DTD and Schema validating
parsers. Next comes treatment of the input stream as it is received into the
application. Ensuring that each input character is valid within the definition of
the language and that each is decoded according to a mapping agreed to by all
the components of the application is the crucial next step. Finally, requiring each
properly decoded entry to fall within logical bounds of the application helps
weed out both malicious programming mischief and the unintended consequences
of human error.