I need a little help with the removal or repetitive non-word characters like line breaks in a HTML textarea that cause errors in modsecurity. I'm making a simple HTML form with a textarea that visitors can fill in:
Your question:<br>
<textarea name="question" cols=100 rows=8></textarea>
Next, I'm using gen_validatorv4.js
to validate the input
frmvalidator.addValidation("question","maxlen=800", "Max length is 800 characters");
The form action on submit is a script contact-form-handler.php
which does the following:
$question = $_POST['question'];
My problem is that when the customer enters multiple line breaks (Enter, Return) Modsecurity returns an error that access to contact-form-handler.php is denied:
Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:bericht. [file "/usr/share/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "\x0d\x0a\x0d\x0a"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1414686989441629 117554 (- - -)
Stopwatch2: 1414686989441629 117554; combined=91683, p1=11515, p2=79432, p3=0, p4=0, p5=731, sr=815, sw=5, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache/2.2.22 (Debian)
I tried with a second (dummy) textarea that isn't even processed in the php script, nevertheless modsecurity blocks access to the script. When the multiple line breaks are removed, the form is successfully processed and sent with msmtp.
Rather than alleviating the modsecurity rules (don't know how to do that either) I feel more like removing multiple line breaks (and spaces) in the HTML contact form before it is processed by the php script. I found some guidelines to do so with the following javascript format:
txt = txt.replace(/(
|
|)/gm," ");
but I miss the knowledge to feed "question" into this command and then make it available for the php command $question = $_POST['question'];
Can anyone help?