We need to check that only IP addresses separated by commas appear in the X-Forwarded-For (XFF) header, that the IP addresses that appear are well constructed and that no strange characters appear in the text string

The following CPL  code will fulfill the request:

<proxy>
url.domain="www.domainname.ltd" condition=condicionXFF ALLOW

define condition condicionXFF
   request.header.x-forwarded-for.exists=no
   request.header.x-forwarded-for="^(\d{1,3}\.){3}\d{1,3}(,*(\d{1,3}\.){3}\d{1,3})*$"
end condition condicionXFF