Skip to main content
Version: 8.2411.x.x RR

XmlFilter

XmlFilter can be used to validate request bodies containing XML, i.e. to make sure that this xml-content is well-formed.

Classname
ch::nevis::nevisproxy::filter::validation::XmlFilter
Library
libValidationFilters.so.1

Configuration

BlockOnError

  • Type: Enum
  • Possible values: on, off, log
  • Usage Constraints: optional, conditional
  • Default: on
  • Newline separated list of conditions, defining whether requests containing malformed xml should be blocked (on), or only logged (log). In case of "off", the request body is not inspected at all by this filter.

StatusCode

  • Type: Integer
  • Usage Constraints: optional, min: 100, max: 1000
  • Default: 403
  • Defines the response status code of a blocked response.

LoadExternalDocuments

  • Type: Boolean
  • Usage Constraints: optional
  • Default: false
  • Let the XmlFilter load external documents. If this is set to true, the proxy might do out-calls to the internet or intranet. This might or might not be harmful depending on your firewall setup. Furthermore, the proxy might get malicious DTDs from the internet with possible future flaws in it.

SchemaDirectory

  • Type: String
  • Usage Constraints: optional
  • Defines the directory where schemas are located.

SchemaCatalog

  • Type: Newline separated list of strings
  • Usage Constraints: required if a SchemaDirectory is configured
  • Syntax: <systemId>:<filename>
  • Defines the mapping between a systemId and a file inside the configured schema directory. For example: http://www.w3.org/TR/html4/strict.dtd : strict.dtd. It is ignored if no SchemaDirectory is configured.

SchemaType

  • Type: Enum: UNKNOWN, DTD, XSD
  • Default: UNKNOWN

The schema type of the files configured in the SchemaCatalog depend on the postfix of the file. If the filename ends with .dtd, then a DTD schema is assumed, if it ends with .xsd, then an XSD schema is assumed. For all other prefixes, the schema type depends on the configuration of this parameter:

  • UNKNOWN: try to find out the schema type via the content. This may not work for complex schema.
  • DTD: handle them as DTD schema files
  • XSD: handle them as XSD schema files

ValidateSchema

  • Type: Boolean
  • Default: true
  • Secure default: true
  • if false, only some basic XML verification will be done. The content will not be validated against XSD schema. If true, the body will be validated against the configured SchemaCatalog. If a schema is missing then the request will be blocked.