Plugin Author
AITpro
(@aitpro)
The single quote coding character or apostrophe in writing is one of the most dangerous coding characters there is that hackers use to execute SQL Injection attacks and other forms of hacking attempts. The single quote coding character is explicitly forbidden in search windows for that reason. If you would like to allow the single quote coding character on your website see this Forum Topic for the BPS security filters that you would need to modify.
http://forum.ait-pro.com/forums/topic/feedburner-feed-header-causing-403-error/#post-456
The & coding character is not filtered or blocked since it is completely harmless.
Ok. So this is a common thing. For a moment I thought that maybe it’s something wrong with my site or with the settings in BPS.
Is there a work around to this without reducing much of the security?
If I would remove this line with the single quote, in percentages, how much percent, of the security would I remove from BPS? 5-10%? More? Less?
Plugin Author
AITpro
(@aitpro)
Unfortunately, what happens is if you try to create exception rules then they negate the security filters anyway so commenting them out has the exact same effect/result. The workaround is to comment out the security filters.
The security impact cannot really be measured in percentages and you would have to look at it this way. If you comment those security filters out you leave your website vulnerable to certain SQL Injection hacking attempts, some forms of XSS hacking attempts and some forms of Code Injection hacking attempts. The single quote is a very handy coding character for hackers because it allows them to do a wide variety of hacking methods.
So basically you have to make a judgement call. From my personal experience very few people complain about not being able to use an apostrophe in a search term and most figure out after the first attempt that apostrophes/single quote coding character is not allowed in search terms.
I see. Well thanks for the suggestion. I think I will just leave it as it is. I rather prefer security than being able to search with a single quote.
Thanks