Gunnar posts:

James Clark proposes another way to look at this:

Validity should be treated not as a property of a document but as a relationship between a document and a schema.

From a security perspective the validation relationship is between document and the allowed characters (white list – strongest) or disallowed characters ( black list – weaker).

So which should it be, semantic or syntactic?