Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
@generosus Can you please not cross post your topic in replies to other topics? That does not help anyone and I archived that reply.
Hey @jdembowski,
Got it. From my point of view, thought it would help. Won’t happen again.
Cheers π
Hi @generosus,
It seems likely this has to do with mod_security or similar blocking the code in the request.
We’re working on a potential fix to hopefully get around this.
Hi @bungeshea,
Thanks for the quick reply. Yeah, that seems to be the issue.
This is the Console Error we’re getting: https://prnt.sc/yjEjjcD1fuWg
Most likely, these are the plugin changes that are causing the issue: https://prnt.sc/n5c-UdCsXzs7
Not an expert here, but it appears your new REST API endpoints are being blocked by WordPress, host servers, CDNs, and/or security plugins.
We’ll keep investigating as well.
Looking forward to your fix π
Thank you!
Update:
So, we may have found the culprit: Cloudflare.
It does not like your code change. A Cloudflare Rule ID is blocking your plugin’s requests.
Details: https://prnt.sc/3gNyy0oDLNAs
Cheers π
Ah, I thought it must be something like this. Thank you for getting to the bottom of the cause, I really appreciate it.
I’m going to try adding a feature in the upcoming patch which escapes special characters in the code in an attempt to get CloudFlare, mod_security, etc to ignore things like script tags which it’s clearly picking up.
Hey @bungeshea,
That’s great. Thank you.
Please know that — just now — we created a Cloudflare WAF rule to bypass (or whitelist) the URI path generated by your plugin hoping that would fix the issue. Details: https://prnt.sc/fT4HGM3Py1dp
Unfortunately, the issue remains. We still couldn’t create a Code Snippet that adds (or modifies) JS code.
Based on the above, there are definitely other sources that are blocking the path.
Hope this helps a bit.
Cheers π
Update:
We just updated your plugin to V3.4.1. This issue is partially fixed.
Specifically, when we try to create — for example — the test snippet provided below, we have to click “Save Changes” twice in order for the snippet to save. Otherwise, we still get the 403 Error.
Details (1st Time We Click “Save Changes”): https://prnt.sc/KH1IaBpm3ynH
Details (2nd Time We Click “Save Changes”): https://prnt.sc/WXfBzsc_0wC3
Is this happening to you as well?
Thank you π
Update (One More):
Just in … Cloudflare is still blocking your plugin π
Details: https://prnt.sc/Cd2nRzFqKNZr
Cheers π
Ah, that’s annoying to hear. Is this happening with all snippets, or only certain ones?
Hey @bungeshea,
So, additional testing was performed. We are using the sample snippets provided here.
When we attempt to create a test code snippet using the CSS snippet provided in the above link, we have no issues.
However, when we attempt to create a test code snippet using the JS snippet provided in the above link, we have the issue reported.
We can get the JS snippet to save only after clicking “Save Changes” twice because the first time, Cloudflare blocks the XSS attempt at first, then it’s skipped the second time due to the Cloudflare “skip” rule we created.
Details: https://prnt.sc/e9JruUs7V4-i
So, in short, the issue lies with Cloudflare blocking your JS-type snippets (other sources could be blocking them as well). Going back to V3.30 solves this issue.
If you don’t have a Cloudlfare account (free), I highly recommend creating one for testing purposes and to confirm/replicate our issue.
Thank you!
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
@generosus Could you stop cross posting into other people’s topics please?
I cleaned up that other topic.
Hey @jdembowski,
Got it. Please accept my sincere apologies. I was simply responding to the plugin authorβs (@bungesheaβs) question in that topic. A trick question π
Cheers.
Thank you for your response @generosus. We’re definitely going to need to look into doing some more extensive testing with Cloudflare, to see if we’re able to find a workaround for this issue.
If it’s possible to provide a rule that excludes a specific URL from false positives, then I can see that being a viable solution.
Hey @bungeshea,
Thank you. Yes, Cloudflare is definitely blocking code snippets that include XSS code. Our WAF “whitelisting” rule is our temporary workaround. A permanent fix is needed. You should be able to replicate the issue once you connect your test website(s) to Cloudflare.
Cheers π
