I encountered this audit in the log:

2022-05-25T10:28:16.517+0200 WARNING 695 com.l7tech.server.policy.assertion.ServerCodeInjectionProtectionAssertion: 7152: Cannot parse Request message body as Invalid character in <?xml version; <?xml version="1.0" encoding="utf-8"?><Document xmlns="http://<HostHame_DomainName>/de/pacs.008.001.02.ch.02">

.

.

.

This payload used to be parseable on V9.x but now it's rejected in 10.1. The primary tag is very common in XML payloads, therefore we don't understand what it doesn't like about it.

We only have "HTML/JavaScript Injection (Cross Site Scripting)" enabled under "Available Protections" within the assertion. Body is obviously ticked.

You can probably copy-paste the payload and might run into the same error. I'm already running into an error when I just try this little bit of the payload:

<?xml version=>

Seems like it doesn't like the "=" character?

Release : 10.1

Component : API GATEWAY

The issue is the content-type. It's set to "application/x-www-form-urlencoded". Seems like in that case the Code Injection assertion can't parse the payload properly because of the "=".

With text/plain it works (which is what Postman is setting by default).