|
From: Reindl H. <h.r...@th...> - 2021-10-31 14:41:48
|
Am 31.10.21 um 13:57 schrieb Filip Bartmann: > Hello thanks, > > so I do this, I thought, that core rule set can be enabled even if i > want to POST HTML content. it's not completly disabled SecRequestBodyAccess versus SecRuleEngine! phase:1 and all the header stuff is still active SecRequestBodyAccess: Configures whether request bodies will be buffered and processed by ModSecurity by default. > ______________________________________________________________ > > Od: "Reindl Harald" <h.r...@th...> > > Komu: mod...@li... > > Datum: 31.10.2021 13:41 > > Předmět: Re: [mod-security-users] Recommended rule exclusions for > WYSIWYG editor editing > > > > Am 31.10.21 um 13:34 schrieb Filip Bartmann: > > I'm discovering mod_security with core rule set as very usefull, but > I'm going in to trouble with editing HTML via admin part of my CMS > including file uploads other parts works well. > > > > Is there any recomendations for minimal rule exlusions for allowing > this, but with as many as possible rules enabled. In editing html in > forms I get many detections in this as XSS attacks or so on. > > you started that topic already afew weeks ago > > there is nothing like post HTML and enable as much as possible rules at > the same time - you will have a fulltimejob adding more and more rules > to exceptions and a minimal WYSIWG change can hit another rule tomorrow > > forget it, been there, done that many years ago - it's not worth > > <IfModule mod_security2.c> > <LocationMatch "(.*)\/editor\/plugins\/preview\.php$"> > SecRequestBodyAccess Off > </LocationMatch> > </IfModule> |
