## Policy settings

The default policy contains recommended settings offering a balance of usability and XML attack mitigation.

Here's an example XML policy:

```json
{
    "policySettings": {
        "EnableWarningHandling": false,
        "BlockedTags": [
            "/XInclude:include",
            "/XSL/Transform:stylesheet"
        ],
        "AllowedEncodings": [
            "utf-8",
            "utf-16",
            "iso-8859-1"
        ],
        "AllowEmptyEncoding": true,
        "AllowDoctypeInCData": false
    }
}
```

### EnableWarningHandling

`PolicySettings.EnableWarningHandling`Tells the XML validation API to return warnings in the response when validating the input XML. Warnings are disabled by default.

The warnings are returned in a list. if none are found the list is empty:

```json
{
  "ValidationWarnings": [ 
    "The optional field Test is missing." 
  ]
}
```

### BlockedTags

Custom tags are allowed in XML documents. Specifying potentially risky tags in `PolicySettings.BlockedTags` allows the XML Validation API to fail if it encounters any of these tags while validating the input XML. The `ValidationResults` object on the response identifies which tag caused validation to fail.

These blocked tags match tags in the XML document by an expanded tag name that includes the namespace. This ensures the correct tag is blocked and aliasing namespaces differently cannot circumvent the check. Tags are matched by how they end so that a single rule can block namespaces defined for different years, e.g. `http://www.w3.org/2001/XInclude` and `http://www.w3.org/1999/XML/xinclude`.

For example in the following XML:

```XML
<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:xi="http://www.w3.org/2001/XInclude">
   <head>...</head>
   <body>
      ...
      <p><xi:include href="license.txt" parse="text"/></p>
   </body>
</html>
```

The `xi` namespace is set to`http://www.w3.org/2001/XInclude` and is used to prefix the `xi:include` tag. The validation of this tag is therefore evaluated to `http://www.w3.org/2001/XInclude:include`. This expanded tag name now ends with one of the default blocked tags`/XInclude:include` and is added to the validation results. These checks are also case insensitive.

By default, the following XML tags are blocked:
- XInclude
- XSL


### AllowedEncodings

XML documents may specify a character encoding standard.`PolicySettings.AllowedEncodings` is a list of strings, allowing users to specify which character encoding standard to allow in the input XML. If the XML Validation API encounters a specified encoding, validation will fail and the encoding standard is identified in the `ValidationResults` object on the response.

By default, the following character encoding standards are allowed:
- UTF-8
- UTF-16
- ISO-8859-1


### AllowEmptyEncoding

`PolicySettings.AllowEmptyEndoding` configures the ability to allow validation to pass if no character encoding is specified in the input XML.

**Note:** even with this is enabled, validation will still fail if the input XML specifies an encoding standard that is not included in `PolicySettings.AllowedEncodings`.

This is set to true by default.

### AllowDoctypeInCData

CDATA sections can be used to embed entire XML documents within other XML documents.`PolicySettings.AllowDoctypeInCData` configures the XML Validation API to fail validation if it encounters a doctype declaration in the CDATA section. Alternatively this can be set to true to allow doctype declarations.

This is set to false by default.