Forum Discussion

IoF's avatar
Icon for Altostratus rankAltostratus
May 12, 2022

ASM/WAF policy - Parameter value type was determined to be "XML value" but really it is "HTML"

Hi, hoping someone can help with this issue.

F5 WAF suggested that the parameter "text" should be "XML value". I agreed and and I'm using the default XML content profile.

However the actual value looks like HTML code to me, which is not an option anywhere AFAIK. Mostly there are no issues, except for some special situations like this particular request that contains "(" and ")" characters in the value.

As a result I'm getting an error:

XML Buffer(
DescriptionMalformed document
Illegal data between tags
Parameter Location

Form Data

Parameter Level


Parameter Name


Parameter Value

The request looks very similar to the one below:

POST /aaa/bbb HTTP/1.1
Connection: keep-alive
Content-Length: 00000
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: ************


Is there any way to tweak the XML content profile to make this work, or should I switch the parameter to user-input/alphanumeric and add the HTML meta characters as allowed?

1 Reply

  • Pache's avatar
    Icon for Nimbostratus rankNimbostratus

    You could define /aa/bb on the allow URLs and add to it a Header Based Content Profile:

    Request Header name: Content-Type

    Request Header Value:* application/x-www-form-urlencoded * 

    Request Body Handling: Form Data

    Profile Name: N/A

    Then you can create a parameter text and select the parameter value type to XML value. Then use the XML default content profile