This is an example of the general need to validate all input. IMHO,
if you look at it that way then you basically need to do Option #3
anyways since good input validation practice is to "default deny" +
accept only known good input patterns.
Depending on the depth and complexity of the full graph of input that
you seem to be worried about, you might also consider doing a hash of
those big, hairy fields (ala your xml example) to verify their not-
changed status more simply.
For the fully general case, you'll have to do the full-validation
anyways especially if you want to gracefully support compatibility
across versions but it's unclear whether or not you actually need/want
to go that far given your examples.
Hope this helps,
John
