I have a website that uses jQuery ajax $.post
to save html data to a PHP script.
The data for $.post
is serialized textarea form data (where the user edits css, javascript & html).
All works well until I enable OWASP ModSecurity Core Rule Set V3.0.
In my apache log I see errors like NoScript XSS InjectionChecker: HTML Injection
, XSS Filter - Category 4: Javascript URI Vector
, HTTP Response Splitting Attack
, Inbound Anomaly Score Exceeded
& meta found within ARGS:
In OWASP ModSecurity Core Rule Set V3.0 if I disable rules/REQUEST-921-PROTOCOL-ATTACK.conf
& rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
then everything is working.
It looks like ModSecurity prefers JSON like format, but how can I save these raw html, css & javascript code from the editor to the server? For security, I would like to keep these rules turned on.