[wp-trac] [WordPress Trac] #35838: Customizer Save & Publish fails if /*SQL-COMMAND in text box (only on some hosts)

WordPress Trac noreply at wordpress.org
Sat Feb 20 02:59:18 UTC 2016

#35838: Customizer Save & Publish fails if /*SQL-COMMAND in text box (only on some
 Reporter:  wpweaver      |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Customize     |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:

Comment (by voldemortensen):

 This is being blocked by mod_security rules. Just looked at the ajax
 request in the console and saw the `406 Not Acceptable` response code with
 this as the response body:


 When I get into the office next week I'll track down which rule and see if
 it can be adjust to be secure and allow this, but that seems unlikely.
 GreenGeeks must be using, at least partially, the same lists as Bluehost.

 > This is possibly not a WP bug, but is still a real issue as plenty of
 users have cheap host like BlueHost or GreenGeeks, so I think it needs to
 be addressed.

 While it's true many people are hosted on Bluehost and GreenGeeks, I don't
 think using `/*insert`, `/*delete`, `/*select`, etc is a very common
 practice. Seems pretty edge case to me. Either way, I'll dig deeper when I
 get to the office. In the mean time, it is possible to use `*insert`, etc
 without the leading slash.

Ticket URL: <https://core.trac.wordpress.org/ticket/35838#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list