modsecurity prevents WP Githuber MD from working

[gene1wood]

(see also coreruleset/wordpress-rule-exclusions-plugin#60 )

Describe the bug

The modsecurity web application firewall (WAF) which is often used in Apache and Nginx, prevents WP Githuber MD from working because it triggers a false positive due to the h2m_strip_tags argument.

The WAF see's the argument which contains the string strip_tags and thinks it's a PHP Injection Attack.

I'm reporting this, not necessarily because something should be changed/fixed in WP Githuber MD, maybe just to add it to the known issues.

To reproduce

Steps to reproduce the behavior:

1. Install modsecurity and modsecurity-crs
2. Install the wordpress-rule-exclusions-plugin for crs
3. Update a Wordpress page

Expected behavior

Ideally modsecurity wouldn't block the POST and would allow the user to post pages using WP Githuber MD

Server environment

• WordPress version 6.6.1
• WP Githuber MD plugin version 1.16.3
• PHP version 8.3

User environment

• OS: Linux
• Browser Firefox

Additional context

Logs can be seen in the issue opened with the wordpress-rule-exclusions-plugin modsecurity CRS plugin coreruleset/wordpress-rule-exclusions-plugin#60

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 2 days.

[gene1wood]

This issue is still valid, we should keep it open.