XmlThreatProtection

This policy enables you to reduce the risk of content-level attack by specifying limits on various XML structures.

This rule executes only if the content type header is set to xml.

Example

In this example, a header is set for a request.

<xmlThreatProtection xmlns="http://www.infor.com/ion/api"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       name="xmlThreatProtection-example" displayName="xmlThreatProtection-example" enabled="true" version="1.0">
  
    <nameLimits>
        <element>20</element>
        <attribute>20</attribute>
    </nameLimits>
    <valueLimits>
        <text>500</text>
        <attribute>100</attribute>
        <comment>200</comment>
    </valueLimits>
   
</xmlThreatProtection>

Configuration

Element name Default Presence Type Multiplicity
nameLimits n/a Optional n/a 0..1
nameLimits.element n/a Optional integer 0..1
nameLimits.attribute n/a Optional integer 0..1
valueLimits n/a Optional n/a 0..1
valueLimits.text n/a Optional integer 0..1
valueLimits.attribute n/a Optional integer 0..1
valueLimits.comment n/a Optional integer 0..1

<xmlThreatProtection> attributes

<header name="xmlThreatProtection-example" displayName="xmlThreatProtection-example" enabled="true" version="1.0">

Field name Description Default Presence
name Name of this policy instance. N/A Required
displayName Optional
enabled Indicates if a policy is enforced or not. If set to false, a policy is turned off, and not enforced. true Optional
version Policy version. N/A Required

<nameLimits> element

This is an optional element that indicates the maximum number of characters allowed for element and attribute names in an xml document. All the elements inside the nameLimits element are also optional.

<nameLimits>
        <element>20</element>
        <attribute>20</attribute>
</nameLimits>

In the example above, the name limits are set so that an xmlThreatProtection event is raised if either an element name or attribute name exceeds 20 characters.

<valueLimits> element

This is an optional element that indicates the maximum number of characters allowed for the values of attributes, text, and comments. All the elements inside the valueLimits element are also optional.

<valueLimits>
    <text>500</text>
    <attribute>100</attribute>
    <comment>200</comment>
</valueLimits></objectEntryCount>

In the example above, the value limits are set so that an xmlThreatProtection event is raised in one of these cases:

  • The text section of an xml element exceeds 500 characters.
  • An attribute value exceeds 100 characters.
  • A comment exceeds 200 characters.