Try to fix eventlist plugin with ModSec rules

conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

@@ -23,3 +23,20 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/themes.php" \
     nolog,\
     ctl:ruleRemoveTargetByTag=CRS;ARGS:newcontent"
 
+# The ability to edit CSS triggers XSS rules when editing posts.
+# Disable all CRS rules on the wp-json API endpoint.
+SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/posts/" \
+    "id:1003,\
+    phase:2,\
+    pass,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=CRS,ARGS:content"
+
+# Make the eventlist plugin work.
+SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
+    "id:1004,\
+    phase:2,\
+    pass,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=CRS,ARGS:/widget-event_list_widget.*/"
+