XML treat protection policy is failing for ampersand ('&') in tag value

Google Cloud Apigee
1

We have XML treat protection policy in proxy with following configuration -

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<XMLThreatProtection async="false" continueOnError="false" enabled="true" name="XTP-XMLRequestTreatProtect">
    <DisplayName>XTP-XMLRequestTreatProtect</DisplayName>
    <Properties/>
    <NameLimits>
        <Element>50</Element>
        <Attribute>50</Attribute>
        <NamespacePrefix>50</NamespacePrefix>
        <ProcessingInstructionTarget>50</ProcessingInstructionTarget>
    </NameLimits>
    <Source>request</Source>
    <StructureLimits>
        <NodeDepth>10</NodeDepth>
        <AttributeCountPerElement>100</AttributeCountPerElement>
        <NamespaceCountPerElement>10</NamespaceCountPerElement>
        <ChildCount includeComment="false" includeElement="true" includeProcessingInstruction="true" includeText="true">500</ChildCount>
    </StructureLimits>
    <ValueLimits>
        <Text>500</Text>
        <Attribute>500</Attribute>
        <NamespaceURI>100</NamespaceURI>
        <Comment>-1</Comment>
        <ProcessingInstructionData>100</ProcessingInstructionData>
    </ValueLimits>
</XMLThreatProtection>

It throws error when xml tag has value ampersand (‘&’). For example consider following xml payload

<root>
	<msg>City & Village</msg>
</root>

This policy fails with below error -

{"fault":{"faultstring":"XMLThreatProtection stepDefinition XTP-XMLRequestTreatProtect: Execution failed. reason: Unknown entity at line 2(possibly  around char 19)","detail":{"errorcode":"steps.xmlthreatprotection.ExecutionFailed"}}}

How to allow ‘&’ in tag value?

2

Hi @Sujnana Rai, some characters should be escaped in XML.

The ampersand(&) is not a valid character in XML and must be replaced with an entity reference like, & amp;

& amp;       <-----(please see that there should not be a whitespace between & and a)

Please give it a try & if you face any issue, post here.