Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2021-07-16 17:52:17
- GugUser
- Member
- From: Quito (Ecuador)
- Registered: 2007-12-16
- Posts: 1,473
ModSecurity blocks the saving of changes made in forms
In all my installations the following happens: If I change code in pages, then I can save this without any problems. If I make the same changes in forms, then the saving process is prevented by ModSecurity. For this reason, I then have to temporarily disable ModSecurity in the server configuration.
For example: In pages the change from <txp:output_form form="header" to <txp::header /> can be saved without any problem. The same in forms is blocked. I don’t understand why.
Offline
Re: ModSecurity blocks the saving of changes made in forms
Hosting companies reject stuff for the most random reasons. It might be because the two words ‘form’ occur in close proximity and it thinks you’re spamming. Or it doesn’t like the word ‘output’ in combination with some other words or tags in your template.
If it happens, contact your host and send them the stuff you’re trying to save and they’ll (usually) tweak their heuristics to let it through. But then…
GugUser wrote #331025:
the change from
<txp:output_form form="header"to<txp::header />can be saved without any problem.
That’s great. Saves typing :)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Offline
#4 2021-07-17 01:33:41
- gomedia
- Plugin Author
- Registered: 2008-06-01
- Posts: 1,373
Re: ModSecurity blocks the saving of changes made in forms
The over zealous application of mod_security can at best be a pain, but at worst self defeating. Switching it off, just to get on with life is far from ideal. The danger is that the switching back on is forgotten or forsaken.
I’m glad I do 99% of my work locally, before transferring databases to live sites.
Bloke wrote #331027:
If it happens, contact your host and send them the stuff you’re trying to save and they’ll (usually) tweak their heuristics to let it through. But then…
I’ve tried arguing the toss before but they’re not interested. And I can understand in a way – a blanket ban is safer and easier for them to administer.
What we need is a mechanism “if I’m logged in to TXP admin, switch mod_security off until I log out”.
Offline
Re: ModSecurity blocks the saving of changes made in forms
gomedia wrote #331032:
The over zealous application of mod_security can at best be a pain, […]
I’m glad I do 99% of my work locally, before transferring databases to live sites.
As much as possible I work on the forms through my trusted editor, either locally when possible or else the theme copy on the server file system and then re-import (update from disc) the theme in use. That always beats those mod_security shenigans. My most recent experience with those (here) was when trying to correct a (silly) typo using my iPhone.
I’ve tried arguing the toss before but they’re not interested. And I can understand in a way – a blanket ban is safer and easier for them to administer.
I received a polite response, ignoring most of my message and ending with “you seem to have fixed it” note. Thank you nothankyou.
What we need is a mechanism “if I’m logged in to TXP admin, switch mod_security off until I log out”.
If that where possible, I’d be very happy.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: ModSecurity blocks the saving of changes made in forms
Honestly, it’d be a worthwhile exercise to consider creating a legit ruleset for Textpattern core on a variety of WAFs. They do add value to security if they’re configured correctly, whether or not a large hosting org would entertain the idea of custom rules is another matter, of course.
Offline