Please advise the approach to configuring the WAF profile for POST requests with the content type: "application/x-www-form-urlencoded;charset=UTF-8" and form fields containing XML.

Hello Manjunath,

Yes, you are right. I would like to understand the recommended approach to configuring Citrix ADC WAF in the case when a POST request generated by an HTML form contains a field with XML data, something like the following:

Form data:



AddFields_List: "<I C='some value1' VI='#SOME ID VALUE' T='Boolean' ..... V='N'> <TI V='N' T='No' /> <TI V='Y' T='Yes' /> </I> ..... <TI V='Yes'/> <TI V='No'/>"

AddF_01: "another value"


In this case the "AddFields_List" form field triggers HTML XSS and Command injection protection mechanisms.

Best regards,

Alex D.

Hi Alex,

In this case, the submitted XML data is processed as form data. Applying HTML checks will therefore be sufficient to shield it from SQi and command injections.

You might need to implement relaxation rules for the XML tags because they will cause XSS violations when used on form data. 

We cannot apply XML protections on the HTML form data.


Manjunath M

Hi Manjunath,

Thank you very much for the answers and clarifications provided!

You have confirmed that I have not missed some kind of "silver bullet" approach for this case in the documentation or other articles.

From my side, I could add that the HTML XSS protection engine (at least in version tries to process the XML content of a HTML form field and represent it as a variable set of HTML form fields and tags, so in this case the only way to prevent this is to create an XSS Relaxation Rule for an HTML form field containing XML data.

Thanks one more time for your response!

Take care!

Best regards,

Alex D.

