[wp-trac] [WordPress Trac] #36837: <script> tags in Admin Options page input field triggering mod_security
WordPress Trac
noreply at wordpress.org
Fri May 13 21:15:11 UTC 2016
#36837: <script> tags in Admin Options page input field triggering mod_security
----------------------------+-----------------------------
Reporter: maddogprod | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 4.5.2
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
I have a site with a custom admin Options page. There are three fields and
it's a simple form that submits to options.php. One of the inputs is to
include Google AdWords Conversion code. For at least a year it's worked
fine on 100+ mini-sites. With the latest updates to 4.5x we ran into a
problem. When we submitted this options page we went to a 404 Error saying
"options.php can not be found."
The site host found that it triggered mod_security beause it includes
<script> tags. They disabled that mod_security rule and it works fine.
The problem is there are over 100 sites using this theme or variations
that include this. Testing them, if I get rid of the <script> tags in that
field it updates and works fine. Add the Conversion Code (or even one
<script> tag) and it triggers mod_security with the same problem.
The site host swears the mod_security rules haven't changed in years. So
it appears that one of the WP 4.5x updates probably affected it. I can't
pinpoint which one since they were updated to 4.5.2 before the problem was
discovered.
In searching I can't find any mention of this problem from other people
but again, it worked for a year and suddenly doesn't on any of the sites.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36837>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list