Validating xml data
Integrity checks must be included wherever data passes from a trusted to a less trusted boundary, such as from the application to the user's browser in a hidden field, or to a third party payment gateway, such as a transaction ID used internally upon return.The type of integrity control (checksum, HMAC, encryption, digital signature) should be directly related to the risk of the data transiting the trust boundary. However, validation should be performed as per the function of the server executing the code.Note that you should proceed to validate the resulting numbers as well.
In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation.
Unless the business will allow updating "bad" regexes on a daily basis and support someone to research new attacks regularly, this approach will be obviated before long.