Support » Plugin: BulletProof Security » Allowing searching for terms with single quotes or apostrophes

  • Resolved dolby_uk


    I am trying to find a way to allow searching for words with single quotes or apostrophes in them (e.g. Selfridge’s ). The BulletProof Security plugin blocks the apostrophe as it’s a potential security threat. For a site I’m working, my client requires the user to be able to search for terms including apostrophes, e.g.:‘s

    When I remove the apostrophes from the .htaccess line that says:

    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

    and change it to:

    RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]

    I get a 403 error instead of just forwarding to the home page.

    Is there a way to firstly enable searching for terms with the single quote character in them, and secondly what are the security implications?



Viewing 1 replies (of 1 total)
  • Plugin Author AITpro


    You would need to modify 2 security rules in your root .htaccess file.

    The one you have already modified above in your post and this additional security filter below.

    Remove the ASCII %27 from this Referrer filter

    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]

    The security implications are that the single quote character is one of the most dangerous coding characters in general when used maliciously, but with that said there are so many layers of overlapping security and security filters in BPS that allowing the single quote coding character in Query Strings and from a Referrer on your website is still safe to do. We created several overlapping security rules for exactly this reason – some folks will need to make exceptions or want to allow some things that other folks do not want to allow. BPS starts from the maximum security settings and then allows you to decrease that security for whatever reasons you choose.

Viewing 1 replies (of 1 total)
  • The topic ‘Allowing searching for terms with single quotes or apostrophes’ is closed to new replies.