Configuration
This plugin is compatible with DB-less mode.
Compatible protocols
The XML Threat Protection plugin is compatible with the following protocols:
grpc
, grpcs
, http
, https
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
string required
The name of the plugin, in this case
xml-threat-protection
.- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
name
. - If using the KongPlugin object in Kubernetes, the field is
plugin
.
- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
-
string
An optional custom name to identify an instance of the plugin, for example
xml-threat-protection_my-service
.The instance name shows up in Kong Manager and in Konnect, so it's useful when running the same plugin in multiple contexts, for example, on multiple services. You can also use it to access a specific plugin instance via the Kong Admin API.
An instance name must be unique within the following context:
- Within a workspace for Kong Gateway Enterprise
- Within a control plane or control plane group for Konnect
- Globally for Kong Gateway (OSS)
-
string
The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level
/plugins
endpoint. Not required if using/services/{serviceName|Id}/plugins
. -
string
The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level
/plugins
endpoint. Not required if using/routes/{routeName|Id}/plugins
. -
string
The name or ID of the consumer the plugin targets. Set one of these parameters if adding the plugin to a consumer through the top-level
/plugins
endpoint. Not required if using/consumers/{consumerName|Id}/plugins
. -
boolean default:
true
Whether this plugin will be applied.
-
record required
-
set of type
string
required default:application/xml
A list of Content-Type values with payloads that must be validated.
-
set of type
string
requiredA list of Content-Type values with payloads that are allowed, but aren’t validated.
-
boolean required default:
false
Indicates whether an XML Document Type Definition (DTD) section is allowed.
-
boolean required default:
true
If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.
-
integer required default:
50
Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.
-
integer required default:
100
Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.
-
integer required default:
100
Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.
-
integer default:
20
Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.
-
integer required default:
10485760
Maximum size of the entire document.
-
integer required default:
1048576
Maximum size of the unparsed buffer (see below).
-
integer required default:
1024
Maximum size of comments.
-
integer required default:
1024
Maximum size of the localname. This applies to tags and attributes.
-
integer default:
1024
Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.
-
integer default:
1024
Maximum size of the namespace URI. This value is required if parsing is namespace-aware.
-
integer required default:
1048576
Maximum size of the attribute value.
-
integer required default:
1048576
Maximum text inside tags (counted over all adjacent text/CDATA elements combined).
-
integer required default:
1024
Maximum size of processing instruction targets.
-
integer required default:
1024
Maximum size of processing instruction data.
-
integer required default:
1024
Maximum size of entity names in EntityDecl.
-
integer required default:
1024
Maximum size of entity values in EntityDecl.
-
integer required default:
1024
Maximum size of systemId, publicId, or notationName in EntityDecl.
-
number required default:
100
Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.
-
integer required default:
8388608
Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.
-