[mod-security-users] XSS Rule -

[Norman V. <nv...@ho...>]

Hello all,

I am a new mod_security user and have two questions regarding the XSS
rule id 50004.

Here's the regex (2.0.1.1.1):

(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|dow
n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|
blur)\b\W*?=3D|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|i=
v
escript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\
W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b|
[vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=3D=
.
*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|she
ll|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)f
older|background-image:|@import)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?
:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\
[CDATA\[|script|meta)|.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e
|innerhtml)\b)

Question 1: What is @import trying to address? It will block
nv...@im....

Question 2: If I modified the rule by redirecting to error.jsp and added
sanitiseMatched to prevent looping, are there any issues when
redirecting to a dynamic page using a relative URL?

Norm Vilmer
Sr. Programmer Analyst - Hotels.com