[wp-hackers] What would strip $_POST before 'init' runs?
Brian Layman
wp-hackers at thecodecave.com
Thu Jul 19 20:38:43 UTC 2012
yeah I was going to suggest the same thing, but as you are displaying a
google form, I wasn't sure if you could do that. However, if you could
hash/base64_encode your field values before they are submitted, you
maybe could get past mod_sec.
Brian Layman
On 7/19/2012 4:20 PM, Mike Walsh wrote:
> On Thu, Jul 19, 2012 at 11:02 AM, Hal Burgiss <hal at burgiss.net> wrote:
>
>> On Thu, Jul 19, 2012 at 7:41 AM, Dion Hulse (dd32) <wordpress at dd32.id.au
>>> wrote:
>>> mod_Security itself is a major PITA most of the time, I'm not saying
>>> it's useless, but that doesn't make it a pain when you come up against
>>> it.
>>>
>> I agree. I had it installed on our servers, and uninstalled it due to the
>> number of false positives and the continual work arounds. In some
>> environments, it might be great. The concept is great, but the
>> implementation can be problematic.
>>
>>
> Based on what I've seen, I agree! Unfortunately sometimes people have no
> idea that their hosting provider is even doing this. Having never run into
> it before, it took a while for me to sort it out.
>
> I was considering trying to add some jQuery to "encode" the form parameters
> so there isn't any chance of a URL being caught but so far I haven't come
> up with anything that does anything meaningful. I have managed to flag
> when a 403 is caught and added a message so at least it is a little cleaner.
>
More information about the wp-hackers
mailing list