Any easy way to encode special characters in flow variables to be inserted into XML Payload?

Not applicable

When creating a SOAP request with an AssignMessage policy, very often I need to insert {variables} that may have special characters (like <, > or &) in the <Payload > section, with the purpose to create a valid XML (SOAP request).

For example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="build-soap-request">
    <DisplayName>Build getSubcriberInfo SOAP Request</DisplayName>
    <Add>
        <Headers>
            <Header name="SOAPAction">getSubcriberInfo</Header>
        </Headers>
    </Add>
    <Set>
        <Payload contentType="text/xml; charset=utf-8">
            <soapenv:Envelope
                xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                xmlns:ups="http://www.company.com/Upselling/">
                <soapenv:Header>
                </soapenv:Header>
                <soapenv:Body>
                    <ups:getSubcriberInfo>
                        <customer>{inputs.customer}</customer>
                    </ups:getSubcriberInfo>
                </soapenv:Body>
            </soapenv:Envelope>
        </Payload>
        <Verb>POST</Verb>
        <Path>/Company/GetSubscriberInfo/V1</Path>
    </Set>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

In the example above, the variable {inputs.customer} was Extracted from a Query Parameter, so it may contain special characters.

If that's the case, the above Payload will be an invalid XML document and therefor the SOAP request will fail.

or worse... the {inputs.customer} can be a way to inject XML into the payload for malicious purposes.

Is there an easy way to properly encode the variable to XML before inserting into the Payload?

0 4 2,812
4 REPLIES 4

Hi roberto.navas@millicom.com,

Javascript can be used to encode the query parameter before inserting it in the SOAP request.

Not applicable

First, you should always be using a threat protection policy when accepting payload via your API. Take a look at the docs for more info.

Second, you will need to encode the value of inputs.customer earlier in the flow. I would run the variable through something like these to encode or decode:

context.setVariable('inputs.customer',htmlEscape(context.getVariable('inputs.customer')));

function htmlEscape(str) {
    return String(str)
        .replace(/&/g, '&')
        .replace(/"/g, '"')
        .replace(/'/g, ''')
        .replace(//g, '>');
}

function htmlUnescape(value){
    return String(value)
        .replace(/"/g, '"')
        .replace(/'/g, "'")
        .replace(/</g, '<')
        .replace(/&qt;/g, '>')
        .replace(/&/g, '&');
}

The HTML editor is unable to handle my source so... use your favorite encoder.

Thanks, being this such a common need, I was hoping Apigee EDGE would have some policy/parameter to handle this.