[SOLVED] HTML POST form gets 403 with certain characters in input
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When I give it the input "<b>Test</b>" I get "Got: Test" as expected, but when I give it "<b>Test</b><!--comment-->" I get a 403 error. If I copy and paste the URL which is giving the 403 error I get (as expected) the form shown above.
I've heard tell that this is something to do with mod_security, but I won't be able to edit that (being on shared hosting). Is there any workaround that people know of?
Couple of minor corrections:
You are closing the </body> tag twice
This code is missing at least the submit button.
It seams to be that mod_security can be overridden in .htaccess
Code:
<IfModule mod_security.c>
# Turn off mod_security filtering. SMF is a big boy, it doesn't need its hands held.
SecFilterEngine Off
# The below probably isn't needed, but better safe than sorry.
SecFilterScanPOST Off
</IfModule>
I don't have mod_security in my computer and it works fine here for which I can't really reproduce the error at the moment.
Thanks for your suggestions - you're absolutely right about your corrections, woops!
Unfortunately, changing the .htaccess does nothing - and if I remove the "IfModule" tags, it gives an internal server error, which suggests to me that mod_security isn't being used and hence isn't the cause of my problems.
As you say, it works find on my local apache server, as well as on a different website (and different hosting provider), just not this web hosting. I think I'll get in touch with them to ask them if they can help. Cthulhu help me, with their support procedures *eyeroll*
On checking the apache error logs, I can see mod_security errors. The mod_security was blocking the HTTP POST as it thinks it is a possible injection to the site. I have disabled the mod_security settings for the domain to fix the issue.
So yeah, looks like it was mod_security (the internal server errors were presumably caused by some restriction on disabling mod_security). Everything now works as we expected. Thanks for your help, bertlef
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.