Overview

Prev Next

Policy Settings

The default policy contains recommended settings offering a balance of usability and XML attack mitigation.

Here's an example XML policy:

{
    "policySettings": {
        "EnableWarningHandling": false,
        "BlockedTags": [
            "/XInclude:include",
            "/XSL/Transform:stylesheet"
        ],
        "AllowedEncodings": [
            "utf-8",
            "utf-16",
            "iso-8859-1"
        ],
        "AllowEmptyEncoding": true,
        "AllowDoctypeInCData": false
    }
}

EnableWarningHandling

PolicySettings.EnableWarningHandling tells the XML Validation API to return warnings in the response when validating the input XML. Warnings are disabled by default.

The warnings are returned in a list. If none are found the list is empty:

{
  "ValidationWarnings": [ 
    "The optional field Test is missing." 
  ]
}

BlockedTags

Custom tags are allowed in XML documents. Specifying potentially risky tags in PolicySettings.BlockedTags allows the XML Validation API to fail if it encounters any of these tags while validating the input XML. The ValidationResults object on the response identifies which tag caused validation to fail.

These blocked tags match tags in the xml document by an expanded tag name that includes the namespace. This ensures the correct tag is blocked and aliasing namespaces differently cannot circumvent the check. Tags are matched by how they end so that a single rule can block namespaces defined for different years EG http://www.w3.org/2001/XInclude and http://www.w3.org/1999/XML/xinclude
For example in the following XML

<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:xi="http://www.w3.org/2001/XInclude">
   <head>...</head>
   <body>
      ...
      <p><xi:include href="license.txt" parse="text"/></p>
   </body>
</html>

the xi namespace is set to http://www.w3.org/2001/XInclude and is used to prefix the xi:include tag. The validation of this tag is therefore evaluated to http://www.w3.org/2001/XInclude:include. This expanded tag name now ends with one of the default blocked tags /XInclude:include and is added to the validation results. These checks are also case insensitive.

By default, the following XML tags are blocked:

  • Xinclude
  • XSL

AllowedEncodings

XML documents may specify a character encoding standard. PolicySettings.AllowedEncodings is a list of strings, allowing users to specify which character encoding standard to allow in the input XML. If the XML validation API encounters a specified encoding, validation will fail and the encoding standard is identified in the ValidationResults object on the response.

By default, the following character encoding standards are allowed:

  • UTF-8
  • UTF-16
  • ISO-8859-1

AllowEmptyEncoding

PolicySettings.AllowEmptyEndoding configures the ability to allow validation to pass if no character encoding is specified in the input XML.

Note: even with this is enabled, validation will still fail if the input XML specifies an encoding standard that is NOT included in PolicySettings.AllowedEncodings.

This is set to true by default.

AllowDoctypeInCData

CDATA sections can be used to embed entire XML documents within other XML documents. PolicySettings.AllowDoctypeInCData configures the XML Validation API to fail validation if it encounters a doctype declaration in the CDATA section. Alternatively this can be set to true to allow doctype declarations.

This is set to false by default.