Weird bug with relationship field and double quotation mark

• the_lar

• February 12, 2021 at 3:30 am

Hi all,

I’ve defined a custom form which I’m using on the backend of my wordpress site in a plugin options page via acf_form()

The form has a couple of relationship fields filtered to show products with 2 different category taxonomies, these relationship fields have search fields for users to quickly filter the products to find what they are looking for.

All works fine, except that when type a double quote mark into the search field, the response is a 403 error. Every other character seems fine. The weird thing is that this only occurs on my webserver, not on my local development site.

So my initial thought is that this is some kind of security thing on the server, maybe SQL injection protection going on?

Here’s a screenshot of the request from Firefox dev console:

Any ideas?

• the_lar

• February 12, 2021 at 4:42 am

Just answering my own question here… it was hitting a ModSec rule on the server that is in place to protect from a XSS vulnerability in a plugin called Modern Events Calendar Lite plugin 4.2.1 for WordPress – which I don’t use so server guys have disabled rule and it works now!

Hope this helps someone else sometime!

• the_lar

• February 12, 2021 at 8:33 pm

@abhiriscott – sorry, don’t know the answer to that, I guess an insecure form in that particular plugin I mentioned but I can’t be specific.