XSL Transformation fails when request contains a DOCTYPE declaration

book

Article ID: 5145

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

When performing an XSL Transformation on a request that contains a DOCTYPE declaration the assertion will fail with the below errors:

 

<Please see attached file for image>

xslt.png

For example, this request would fail: 

<Please see attached file for image>

doctype_sample.png

 

 

 

 

Cause

This was done to protect the Gateway against DTD Entity Expansion Attacks. From a technical perspective, the XML parser will not allow DOCTYPE declarations. When the parser encounters a message containing a DOCTYPE, it terminates parsing without expanding the entity or entities. The CA API Gateway then logs and audits a warning that a message was badly formed. This allows administrators to monitor potential intrusion attempts, while keeping the protected services safe. 

Environment

Release:
Component: APIGTW

Resolution

The solution is to remove the DOCTYPE declaration from your request.

To resolve the issue with the sample provided earlier it should be changed as follows:

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKKQAA4" alt="doctype_solved.png" width="299" height="119">

Attachments

1558707180918000005145_sktwi1f5rjvs16ql0.png get_app