Kindly, consider adding support for Wordpress Gutenberg editor. #1232
Comments
|
Thanks for reporting @shubham-panwar. We would definitely add support if somebody were to write the |
|
I can take on this project. It's too late for inclusion in CRS 3.1, but it would be a good feature for the next release. @shubham-panwar Are you able to help us with testing, by cloning the development branch of the CRS and checking if it works correctly? That would be awesome. |
|
Yes, sure |
|
We are very keen on helping here. Would need a bit of guidance too. It's not just Gutenberg, any plugins that use the Rest API endpoints are hitting the firewall. This is more and more of the newer plugins, and soon it will be central to most WordPress development. We run a WordPress specific VPS Control SaaS that is incorporating ModSec into our Server deployments. (WordPress GridPane) I was just about to look at modifying rules for post/pages when I found this, but also we have had test users submitting issues with a couple of different plugins that rely on internal use of the API. I will poll our users and see about writing exclusions for specific popular plugins they use, I believe there will be quite a few and would be good to include in the ruleset exclusions. Yoast SEO for one uses it for internal linking (most of the internal linking plugins use it now). I have looked at the rules, seen the other merge, I should be able to get a handle on this. |
|
#1298 has been merged. Is there any outstanding work here? |
|
Yep, basic Gutenberg support is now in. There's an additional request but that's in a separate issue and I will get to that. Thanks for reporting and commenting! |
|
Very sorry for posting here, since this probably isn't meant to be a support forum. But I'm having all of the OWASP rules triggered for the REST API endpoints when attempting to save a post in Gutenberg, implying these exceptions aren't happening. I see this was only resolved relatively recently; is it possible Cloudflare haven't integrated the new ruleset yet? Can provide more details if necessary. |
|
Hi @smerriman, this change is not yet in an official CRS release. It will certainly be in the next release CRS 3.2 but this does not have a timetable yet. We are not aware of how/when Cloudflare picks up our releases, I think they likely use their own internal fork and integrate changes on their own pace. |
|
OK, thanks for the reply. Hopefully the release is very soon, since otherwise it appears there is basically no option other than to disable OWASP rules entirely for any site running WordPress. |
|
It is possible to write a whitelist rule for the api endpoints... that what I did |
|
Hey @JeffCleverley would it be possible for you to share your whitelist rule here? Thanks! |
Kindly, consider adding support for Wordpress Gutenberg editor, Which is going to be the default editor from 5.0 release of Wordpress.
currently all of Gutenberg functions gives 403 errors.
Owasp rules are currently blocking WP Gutenberg autosaves, uploading pictures , saving post , etc.
Default Wordpress Exclusions ruleset is enabled, But there are no rules for Gutenberg in the Default WP Exclusion ruleset.
Till Support is added for Gutenberg editor, is their any temporary solution ?
The text was updated successfully, but these errors were encountered: