[wp-trac] [WordPress Trac] #36837: <script> tags in Admin Options page input field triggering mod_security

WordPress Trac noreply at wordpress.org
Fri May 13 21:15:11 UTC 2016

#36837: <script> tags in Admin Options page input field triggering mod_security
 Reporter:  maddogprod      |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Administration  |    Version:  4.5.2
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
 I have a site with a custom admin Options page. There are three fields and
 it's a simple form that submits to options.php. One of the inputs is to
 include Google AdWords Conversion code. For at least a year it's worked
 fine on 100+ mini-sites. With the latest updates to 4.5x we ran into a
 problem. When we submitted this options page we went to a 404 Error saying
 "options.php can not be found."

 The site host found that it triggered mod_security beause it includes
 <script> tags. They disabled that mod_security rule and it works fine.

 The problem is there are over 100 sites using this theme or variations
 that include this. Testing them, if I get rid of the <script> tags in that
 field it updates and works fine. Add the Conversion Code (or even one
 <script> tag) and it triggers mod_security with the same problem.

 The site host swears the mod_security rules haven't changed in years. So
 it appears that one of the WP 4.5x updates probably affected it. I can't
 pinpoint which one since they were updated to 4.5.2 before the problem was

 In searching I can't find any mention of this problem from other people
 but again, it worked for a year and suddenly doesn't on any of the sites.

Ticket URL: <https://core.trac.wordpress.org/ticket/36837>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list