0

I have a valid and verified Add-In/manifest which passes npm run validate. I as well as hundreds of users are able to download my manifest through a link. However some users have been facing this error:

This app can't be installed. The manifest XML file isn't valid. For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the setting into XmlReaderCreate method.

enter image description here

In what situations can an error like this appear for some users?

wsoccorsi
  • 45
  • 8
  • Did you try to validate your manifest using the `npm run validate` command? See [Validate an Office Add-in's manifest](https://learn.microsoft.com/en-us/office/dev/add-ins/testing/troubleshoot-manifest) for more information – Eugene Astafiev Jul 16 '20 at 14:07
  • Sorry this isn't clear, I edited to reflect this. I do pass npm run validate – wsoccorsi Jul 16 '20 at 14:42
  • And XML schema validation? – Eugene Astafiev Jul 16 '20 at 14:44
  • It looks like all validation is great but what gets me is what is conditional about this error. https://stackoverflow.com/questions/13854068/dtd-prohibited-in-xml-document-exception How can I change the parsing, isn't this on microsofts end? – wsoccorsi Jul 17 '20 at 14:08
  • Can you provide stripped down version of the manifest file so that we can reproduce this issue from our side and check? – Outlook Add-ins Team - MSFT Jul 21 '20 at 13:29
  • @OutlookAdd-insTeam-MSFT absolutely. What is a safe way to send you the manifest – wsoccorsi Jul 21 '20 at 17:29
  • You can upload it to a repo from where we can access it. As mentioned before, only a basic version is required with which issue repros. – Outlook Add-ins Team - MSFT Jul 21 '20 at 18:38
  • Do let us know if you have any concerns on sharing manifest publicly. – Outlook Add-ins Team - MSFT Jul 21 '20 at 18:46
  • @OutlookAdd-insTeam-MSFT I went ahead and shared my manifest with you through the Outlook feedback button. Please let me know if that works. – wsoccorsi Jul 21 '20 at 18:51
  • @wsoccorsi Can you share the link to your repo instead? It would be easier for us to access it that way. – Outlook Add-ins Team - MSFT Jul 22 '20 at 11:02
  • @OutlookAdd-insTeam-MSFT no worries here is the link https://addin.yesware.com/addin/install?direct_install=1 – wsoccorsi Jul 22 '20 at 17:01
  • @OutlookAdd-insTeam-MSFT an update with this error, is it only happens when installing by URL. Users can get around this by installing the manifest and uploading directly. – wsoccorsi Jul 22 '20 at 18:32
  • @wsoccorsi We did not find any issue with the manifest shared by you and the error did not repro for us. Only way we could get the same error is by explicitly adding a DTD to the xml. Since you mentioned that the same manifest works on uploading directly, is it possible that users facing this issue are hitting a url with incorrect xml(one with DTD). – Outlook Add-ins Team - MSFT Jul 23 '20 at 11:26
  • @OutlookAdd-insTeam-MSFT that is very strange. I am not sure how a user would even go about accidentally doing that. We have a theory, since it only happens with a URL that it could be a network error on the user side. Firewall or something of the sorts. Thanks for trying to recreate it though! – wsoccorsi Jul 23 '20 at 14:03

2 Answers2

1

I have actually bumped into this issue a year ago. Like @OutlookAdd-insTeam-MSFT suggested, I also believe this is related to networking, specifically to DNS.

Here's what I was able to find out, but unfortunately my client never came back and confirmed if it was useful.

(Please note that parts of the text is quoted from the sites listed at the bottom.)

Error message

Application cannot be installed. Manifest XML is not valid. For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.

Why this happens?

When the manifest.xml is read by O365, it is being resolved via msoid.[organization_name].onmicrosoft.com and msoid.onmicrosoft.com. If this fails (due to a typo in etc.), a HTTP 404 error is invoked. At this point your ISP's DNS server should take over and offer to resolve the address according to it's CNAME record table. However, some organizations might have an additional DNS assistance in place. Once a 404 error is detected by msoid resolver service, the ISP's DNS will try to take over the DNS resolving (DNS assistance). When that fails (due to a missing CNAME record or a typo), it returns an HTML-formatted query result back to O365. It is basically HTTP 200 response which is interpreted by O365 as a successful authentication. After this O365 starts to process the HTML-formatted response as if it was the original manifest.xml. And as the HTML contains a DTD declaration in an incorrect way, you receive the error "For security reasons DTD is prohibited in this XML document".

Possible solutions:

a) Make sure DNS settings on the client's computer are set correctly.

b) Temporarily switch to another DNS server (e.g. Google DNS)

d) Turn off DNS assistance service (if applicable)

Please see the articles below for more information:

https://www.codetwo.com/kb/dtd-prohibited/

https://www.veeam.com/kb2821

http://sharepointers.blogspot.com/2017/03/connect-pnponline-for-security-reasons.html

https://learn.microsoft.com/fi-fi/office365/admin/services-in-china/purpose-of-cname?redirectSourcePath=%252fen-us%252farticle%252fWhat-s-the-purpose-of-the-Office-365-CNAME-record-for-msoid-19b67e2b-1b28-4432-8cca-394803fbdc87&view=o365-21vianet

https://blogs.msdn.microsoft.com/joerg_sinemus/2017/07/10/sharepoint-online-vanity-domain-powershell-csom-and-the-msoid-cname-record/

Atso
  • 26
  • 3
0

You can validate the manifest file against the XML Schema Definition (XSD) files. This will ensure that the manifest file follows the correct schema, including any namespaces for the elements you are using. If you copied elements from other sample manifests double check that you also include the appropriate namespaces. You can use an XML schema validation tool to perform this validation.

To use a command-line XML schema validation tool to validate your manifest you need:

  1. Install tar and libxml, if you haven't already.
  2. Run the following command. Replace XSD_FILE with the path to the manifest XSD file, and replace XML_FILE with the path to the manifest XML file.
xmllint --noout --schema XSD_FILE XML_FILE

Also, you can try to validate your manifest using the npm run validate command. See Validate an Office Add-in's manifest for more information.

Eugene Astafiev
  • 47,483
  • 3
  • 24
  • 45
  • I get the following output: Valid Manifest Schema: Your manifest does adhere to the current set of XML schema definitions for Add-in manifests. – wsoccorsi Jul 17 '20 at 13:48