From ad96d58d5474cd58de4258f36159b385ac04acad Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Wed, 9 Dec 2020 10:24:30 +0000
Subject: [PATCH] Try to fix eventlist plugin with ModSec rules

---
 .../REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf b/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
index f09548a..6c8011f 100644
--- a/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+++ b/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
@@ -23,3 +23,20 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/themes.php" \
     nolog,\
     ctl:ruleRemoveTargetByTag=CRS;ARGS:newcontent"
 
+# The ability to edit CSS triggers XSS rules when editing posts.
+# Disable all CRS rules on the wp-json API endpoint.
+SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/posts/" \
+    "id:1003,\
+    phase:2,\
+    pass,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=CRS,ARGS:content"
+
+# Make the eventlist plugin work.
+SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
+    "id:1004,\
+    phase:2,\
+    pass,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=CRS,ARGS:/widget-event_list_widget.*/"
+
-- 
GitLab