Re: "XML"
Over the years I've found that validation against a schema doesn't really help that much in practice, it's another complex pile of stuff to parse with more bugs waiting to bite your ass. Using as simple-to-parse format as possible (to minimize the valid permutations of input), writing unit tests and integration tests to go with it has proven to be more effective the long haul than adding yet more attack surface to the input handling code.