the jquery.cookie.js triggers the apache's mod_security error
erast.nicolae - June 19, 2009 - 19:25
| Project: | Localization client |
| Version: | 6.x-1.7 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | duplicate |
Jump to:
Description
this is what i found in the log file when i tested locally.
[/sites/all/modules/l10n_client/jquery.cookie.js][2] Warning. Pattern match "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "D:/xampp/apache/conf/modsec/modsecurity_crs_40_generic_attacks.conf"] [line "102"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]actually when i install and activate the module on the online site they get me out for couple hours because my ip was denied automatically by the mod_security apache module. There is any workaround beside disabling the mod_security module?
#1
after screwing my eyes in modsecurity_crs_40_generic_attacks.conf
i find myself the workaround, but on my development site, so... be aware...
i renamed the jquery.cookie.js to jquery_cookie.js,
after that, i edit the l10n_client.module from this:
drupal_add_js(drupal_get_path('module', 'l10n_client') .'/jquery.cookie.js', 'module');to this:
drupal_add_js(drupal_get_path('module', 'l10n_client') .'/jquery_cookie.js', 'module');#2
Same issue as #306889: Fails to load jquery.cookie.js (hosting problem). Since Drupal 7 ships with the same file with the same filename, I've opened #522646: jquery.cookie.js incompatible with Apache mod_security by default with background info copied from here too, so we can resolve this in Drupal 7 and port the fix to the Drupal 6 version of the module. Reopening original issue.