How To Avoid Disabling Mod_Security Rules Only Because You Want To Use The Support Manager Plugin

[L3Y]

Hi,

 

 

The integrated support manager in Blesta is very nice.  BUT : if you enable the plugin, then you need to disable many mod_security / naxsi rules just to be able to post a couple of lines in a ticket.  Customers want to send very long codes, and you may ask them to send stuff like email sources, debug codes, etc...  It can take a lot of time and efforts before you get a stable and secure set of mod_security / naxsi rules.

 

We all know blesta is very secure, but it's always better to use an application firewall, like mod_security or naxsi.  However, doing this can turn into a nightmare.  While trying to submit codes, or any other content with special characters, your customers may see 503 error codes.  That's not beautiful

 

Some peoples may end up by doing stupid things like completely disabling mod_security while they should not.  Other peoples will simply start disabling everything they see in the logs.  They may disable too many rules, or whitelist too many ip's.

 

I found a very good way to avoid 503 errors, while keeping most of your naxsi / mod_security rules intact.

 

With theses little changes in your files, your customers will be able to copy/paste and type everything they want in a ticket textfield or subject line, and you won't need to disable all your rules.  I can use the support manager plugin with only a couple rules disabled, in fact.

 

You can re-enable most of your rules for the support plugin paths, by doing this :  

 

1) Go to the support_manager plugin folder and open /views/default/client_tickets_reply.pdt

 

Add the following at the end of the file, just after the ?>

<script>function deleteextra() {    var initVal = $(this).val();
    outputVal = initVal.replace(/[^0-9a-zA-Z\n\/'@-]/g," ");       
  
    if (initVal != outputVal) {
        $(this).val(outputVal);
    }
};
$().ready(function(){
    $("#summary").keyup(deleteextra).blur(deleteextra);
    $("textarea").keyup(deleteextra).blur(deleteextra);
});
</script>

 

 

2) do the same in client_tickets_add.pdt

 

And voilà  You are now able to use mod_security with the support manager, on client side - you may also do the same on the admin side (in admin_tickets_add.pdt and admin_tickets_reply.pdt)

 

What it does?  When a customer will copy and paste, or type something in the ticket reply or ticket add textarea the unwanted special characters will just disappear before the ticket is submitted.  It will only keep the following : @.-_   It will also remove the http:// and https:// before an url, to make sure your staff won't click on any link by mistake.

 

i love jquery!    

 

You may want to adapt the regex to your requirements, but this work fine for us.

 

I hope this will help someone!

[Paul]

Nice, looks very interesting! Thanks for the contribution!

[PauloV]

Thanks carl, very usefull

[serge]

not a lover of mod_security,

but very good contribution and same kind of code can be used for custom form having specific string/syntax validation rules.