Hi Will, do you happen to have any security software installed that might be catching this and blocking the request?
I assume you are suggesting that something — probably a plugin — is trying to prevent a code injection. That certainly seems reasonable.
Sucuri is installed but has been installed for years and before the script was originally created. I tried it with Sucuri off and the problem remained.
I know Jetpack has security tests as well but assume the issue would be appearing for others.
The one big change was a recent update from Ubuntu 18LTS to 22LTS but I had not edited the code for years so I think that was simply coincidental.
I know the following can be used as a workaround:
$result = “<“;
$result .= “script”;
I updated the script directly in the db.
If you have other ideas, that would be great. Thanks for your support.
We could try escaping HTML entities before sending the payload, and then reconstructing, but I’d worry about potentially malforming the code data.
Were you able to reproduce the issue? I could create a test site to try.
What is puzzling to me is that I found the issue when editing an old script. The script used to allow the “<script” text. Clearly something changed somewhere, perhaps in WordPress itself.
I just created a clean WordPress install and the issue does not appear. I’ll try adding some plugins and see if I can find a conflict.
On the production site, I thought I’d try entering “<script” in another field. I did it in a search field. The server blocked the entry with a 403 error.
At this point, I’m assuming there is a server level protection trying to block code injection.
You can mark this issue as closed since the issue is not specific to Code Snippet.
Again, thanks for your excellent support.
A WAF (ModSecurity) with Comodo rules is causing the error.
I have two very similar sites that both exhibited the error. Turning off the WAF eliminated the error.
Glad you could get it sorted!
Even though it’s technically an external issue, we’re working on a patch that will hopefully reduce the problems with modsecurity, by escaping code tags and other special characters that it appears to be flagging.
