I'm testing 2.8.0 with the JSON request body processor and it seems that the sanitiseArgs is not working as expected.

It detects the fields, it matches the rule, but it logs the data in the clear, even though modsec logs which args were sanitised.

SecAction "phase:5,id:'6660666',t:none,pass,nolog,sanitiseArg:cardNumber,sanitiseArg:cardToken"

audit log:
[29/Apr/2014:12:19:54 +0100] U1@K2goFLh4AAHIFMqAAAAAS 43609 443
POST /psp/save HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/ libidn/1.23 librtmp/2.3
Host: payments
Content-Type: application/json;charset=UTF-8
Accept: application/json
Content-Length: 114

HTTP/1.1 400 Bad Request
Content-Type: application/json
Via: 1.1 payments
Content-Length: 78
Connection: close

{"message":"Please check your input and try again.","error":"Invalid Details"}
Apache-Handler: proxy-server
Stopwatch: 1398770394130647 22955 (- - -)
Stopwatch2: 1398770394130647 22955; combined=2733, p1=266, p2=2062, p3=9, p4=355, p5=40, sr=86, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Sanitised-Args: "cardNumber", "cardToken".

A Similar request using  application/x-www-form-urlencoded works as expected.


- Bruno