cancel
Showing results for 
Search instead for 
Did you mean: 

ASM/WAF policy - Parameter value type was determined to be "XML value" but really it is "HTML"

IoF
Nimbostratus
Nimbostratus

Hi, hoping someone can help with this issue.

F5 WAF suggested that the parameter "text" should be "XML value". I agreed and and I'm using the default XML content profile.

However the actual value looks like HTML code to me, which is not an option anywhere AFAIK. Mostly there are no issues, except for some special situations like this particular request that contains "(" and ")" characters in the value.

As a result I'm getting an error:

XML Buffer(
DescriptionMalformed document
Illegal data between tags
Context
Parameter Location

Form Data

Parameter Level

Global

Parameter Name

text

Parameter Value
***************

The request looks very similar to the one below:

POST /aaa/bbb HTTP/1.1
Host: aaa.bbb.org
Connection: keep-alive
Content-Length: 00000
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: https://aaa.bbb.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://aaa.bbb.org
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: ************
X-Forwarded-For: 1.1.1.1

text=<b>aaa+aa.+11111+aa+aaaaaaa+111+1111+</b>(<a+href="https://www.ccc.org/ddd/111/ppp.pdf">aaaa11.222</a>+-+oooooooooo)+(eeeeeeeee+jjjjjjjjjj+1,+2222)
&input_format=full_html&token=xxxxxxxxxxxx

Is there any way to tweak the XML content profile to make this work, or should I switch the parameter to user-input/alphanumeric and add the HTML meta characters as allowed?

0 REPLIES 0