I'm trying to create a type of HTML editor app with a preview box. Everything is working fine, except I just added URL parameters/queries in this format.
http://edit.mydomain.com/?code=%3Cp%3EWelcome!%3C%2Fp%3E&type=html
These are working fine until this gets added into it:
<script type="text/javascript">
Encoded, that would be
http://edit.mydomain.com/?code=%3Cscript%20type%3D%22text%2Fjavascript%22%3E&type=html
Unfortunately, going directly to that loads an infinite redirect error.
Next, I tried removing any .htaccess rewrite rules (because they really aren't needed on this particular p开发者_如何转开发age) I had which are:
RewriteEngine On
RewriteRule ^(.*)/$ /$1.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://edit.mydomain.com/$1/ [R=301,L]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\.php\ HTTP/ [NC]
RewriteRule .+ http://edit.mydomain.com/%1 [R=301,QSA]
But doing that caused the URL with the query to load a Forbidden page saying I'm not allowed to access /.
When this was previously in a directory, it loaded the root home page (not directory) even though the URL showed the directory followed by the query.
I also have a feeling that the server blocked my IP for a while yesterday because the site suddenly went down for me and only me. Would such URL queries be considered a security risk?
Removing the < part of the code (or %3C encoded) fixes this error but of course, the < is missing from the code that outputs.
Is it possible to accept the encoded in the URL? It seems to work fine with
tags.
Thanks.
It's entirely possible that your <script>
tag in the URL parameter is triggering some sort of intrusion protection on your server or your ISP's firewall.
Stuff like this is usually done with a POST request, not a GET request. Is there a reason you're not doing it that way?
it is possible that you have mod_security installed. i believe mod_security2 doesnt allow control from the .htaccess file but the older version do. http://www.modsecurity.org/
However i think instead of fiddling around with mod_security rules its better that you figure out a way to send the code in a POST var rather than GET.
精彩评论