Elxis CMS Forum
Support => Security => Topic started by: seadhna on May 11, 2016, 15:27:41
-
Hi, we are getting banned for simple edits when editing the Spanish version of articles. e.g. inclusion of a straight apostrophe (curly apostrophe is ok) is causing a security warning: forbidden!
Sometimes, just adding or changing the article title in the French or Spanish version is causing this Forbidden! alert.
Can you advise?
-
So, here is a specific example. The following piece of code causes a 'Forbidden' error and the text is not saved (in an alternate language version of the site):
<p>The work of the ILHR Programme is central to the attainment of PGA's vision.</p>
If I change the apostrophe to a "curly apostrophe", I am able to save the code without error:
<p>The work of the ILHR Programme is central to the attainment of PGA’s vision.</p>
-
Try to use the HTML number for single quotes as quoted below!
<p>The work of the ILHR Programme is central to the attainment of PGA's vision.</p>
-
Hi, yes, this also works, but just a temp. solution right? Is this a known glitch with the CMS?
-
Also, while this workaround 'works', it only works for one 'save'. If you click 'apply' a 2nd time, the CMS has changed the HTML codes back to apostrophes and the save is forbidden and the admin is banned.
-
@seadhna I have no problem saving article with any type of quote/apostrophe. I believe it is something that has to do with your php settings. Do you use PHP less than 5.4? You can bypass this problem by remove the Elxis Defender security rule that causes you the problem. Write me exact Reference code you get by Elxis Defender.
-
Hi! So, if I try to save a multilingual version of any article and the text includes ' a popup says: www.example.org says: Error! Forbidden.
If I do that three times, I am banned and when I reload the CMS in the browser the message is:
Request dropped!
You have been banned! If you think this is wrong contact the site administrator.
Reference code: SEC-DEFB-0001
-
PHP version is 5.5
-
I changed the Elxis Defender setting to 'General Rules' only, but this has not resolved the issue.
Other security settings are:
security level: normal
SSL switch: off
Encryption method: mCrypt
Check IP moment: After loading Elxis core
Accept X-Frame: Yes.
-
I just noticed how you phrased your reply "I have no problem saving article"
I also can save an article (in the primary language of English) no problem.
This happens ONLY when attempting to save secondary language versions of an article.
-
My hosting provider has a firewall (mod security). When it was active i had similar problems.
-
You are right, there is problem saving single quotes in translation items.
I have 2 solutions for you, pick your preferred one.
1. Stop Elxis Defender blocking single quotes
open this file: includes/libraries/elxis/defender/general.rules.php
Change line 63 from this:
array('POST', '\<|\>|\"|\'', 'Unescaped character'),
To this:
array('POST', '\<|\>|\"', 'Unescaped character'),
2. Encode single quotes.
Open this file: components/com_etranslator/includes/mlapi.js
Go to lines 415 - 420:
if (trtext == '') {
msgObj.className = 'ml_message ml_error';
msgObj.innerHTML = mldata.prtransmsg;
msgObj.style.display = '';
return false;
}
Add below:
trtext = trtext.replace(/'/g, ''');
After this change hit control+F5 in your browser to refresh its cache.
I will patch Elxis with the second solution. Thanks for reporting this problem.
-
Great! Thanks!
-
Hi Datahell,
this issue is happening now when an apostrophe is present in the article title - even in English (primary language).
e.g. if I type: test's
as the article title and then click 'suggested' for the SEO title, I get the 'forbidden' popup alert.
-
Please write your exact Elxis version and the error message/code you get.
-
hmm... it's not happening anymore now - sorry, not sure what happened the last day, can't replicate the issue now.
-
Hi datahell,
this issue is happening again I'm afraid - I have both fixes in place. The 2nd solution is already in place now in the latest update of Elxis. The first solution I have also inserted manually. The issue is now happening in OTHER language versions of a MODULE (Text module). Same issue - apostrophe, but even ALT+0146 does not work. The popup window says Error! Forbidden! when I try to save other language versions of the module.
-
CORRECTION: it is NOT an apostrophe this time, it is the 2nd line of this script:
<script type="text/javascript">
jQuery(document).ready(function(){
jQuery('#slideshow').fadeSlideShow();
});
</script>
This is on the latest version of Elxis (4.5)
-
Error also happens if I try to save the script in multi-lingual version of a category - i.e. any language other than English (primary language).
-
Writing javascript inside articles is a bad idea!
-
I agree. I was putting it in a module as a 'lesser crime'.
My workaround has been to create a module ONLY for this script in English only, and thus, even the other language version pages pull from the English language version of the module because I cannot save this script in other language versions of a module.