On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Shortly after we upgraded all our clients MODX sites to 2.6.5 we noticed that we weren't able to save chunks if the chunk contained anything more than the most basic of HTML. Scripts, head tags, meta tags, links to stylesheets, etc wouldn't be accepted. Clicking the Save button would result in the saving progress bar appearing for a split second, then it would disappear, and the chunk content wouldn't save.

    Moving these scripts and tags into a template worked fine and that's what we've had to do, but obviously it's not ideal having duplicated meta tags, font and stylesheet links at the top of each template.

    I thought it was a mod security issue and have inserted the following into our .htaccess file.
    <IfModule mod_security.c>
    SecFilterEngine Off SecFilterScanPOST Off
    </IfModule>


    I've bumped PHP down to 5.4.
    I've checked the following two files:
    core/model/modx/mysql/modchunk.map.inc.php
    core/model/modx/mysql/modsnippet.map.inc.php
    and done the "_-" to "-_" thing

    I've set JS and CSS compression to 0, repaired the database, cleared cache, cookies, re-installed, uninstalled all Extras, not using TinyMCE. We've upgraded some of the sites to 2.7.0 and 2.7.1 but still no luck. What else can I try?

    Due to the number of our sites that have been affected and the lack of info about this topic in this forum, I'm assuming it's related to our web host and perhaps still a mod_security issue. Can anybody point me in the right direction? What should I be asking our host?

    By the way, on some of our sites we weren't able to create new chunks either, and would get an error stating that the chunk name was invalid. I initially thought this was the one and same problem as the above, but it turned out to be a collation issue where our MySQL db was set to latin swedish while MODX was set to UTF8. Changing the collation of the db to UTF8 in PHPMyadmin solved this problem. However the problem of saving chunks with scripts and tags still persists.

    Any help would be appreciated!
      Creative Director - Throwstone Web Design Melbourne
    • It's almost certainly a mod_security issue, and I don't think it's related to upgrading MODX -- more likely a change in the hosting environment.

      Those two directives need to be on separate lines in .htaccess:

      <IfModule mod_security.c>
      SecFilterEngine Off 
      SecFilterScanPOST Off
      </IfModule>


      It still won't work if the host has things configured so that you can't turn off mod_security in .htaccess, which is fairly common.

      I would ask the host to turn off mod_security for the sites.

      If that doesn't work, I'd ask to have it off for the Manager directory.

      Last resort: https://bobsguides.com/modx-friendly-hosts.html

        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
      • The host said that the directives placed in the .htaccess file should turn mod_security off and they can't disable it further for me.

        I've attached a screenshot of Chrome's Console when I try to save a chunk. The chunk contains a script that had already been saved previously with no problems, however now all I'm trying to do is to update the chunk by adding a single random character. Does this shed any light?
          Creative Director - Throwstone Web Design Melbourne
        • This definitely is mod_security, or probably. For me it was certain text-heavy pages, and it led to no saving chunks, or snippets, and so on.

          One painful workaround is to made each chunk you need have a bit of code then refer to another chunk with another bit of it and so on. I had trouble putting in Verisign's dumb error filled code and only got it up by doing it in pieces, well verisign's stuff was all in one and then the main one. anyway that's real fun.

          Tell your hoster to relax the rules or give you more info, that's not a good attitude from them. if you want to solve the problem completely then get them to turn off mod_sec on the manager folder, it has basically no danger to do so.

          You would otherwise need to know what rules were violated. They're fun, you learn that two 'casinos' is ok but three will trigger a rule. One broken rule screws up the site and then you can't violate any of the other rules until its fixed (rule removed), then you test again and run into another one...
          • I don't recognize the error message. On thing that others reported when having trouble saving chunks is a mismatch between the MODX date_timezone setting and the date/time settings for Apache and PHP.
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
            • BTW it seems to me the php version is not the issue, so it would be better to go back to the newest version
              • This issue has finally been resolved. The host initially agreed to turn mod_security off for 24 hours for me, during which I could save all tags and scripts in my chunks again. Problem solved... sort of.

                Then the situation arose with a different client's site and when I requested mod_security to be turned off temporarily, this time, the support rep took the time to troubleshoot and whitelist all mod_security rules that were triggered when saving chunks with scripts.

                In case this helps somebody else, the whitelisted rules were:

                211090
                211190
                212320
                212700
                212740
                212770
                212860
                212890
                212970
                212980
                212990
                973320
                973321

                Thanks nuan88 and BobRay.
                  Creative Director - Throwstone Web Design Melbourne
                • In my experience, for almost every mod_security problem, the hosting service initially denies that it's a problem with mod_security. wink

                  The problem with having them turn off specific rules is that you never know that you've turned off all the relevant rules, or when a new MODX extra is going to cause mod_security problems. Some hosts are willing to turn off mod_security altogether for the Manager folder.

                  FWIW, I've never heard of a mod_security problem at any of the hosts here: https://bobsguides.com/modx-friendly-hosts.html. I test all my extras at Bob's Guides (on A2 Hosting) and have never had any reason to suspect tha mod_security is having any effect at all on my sites.

                    Did I help you? Buy me a beer
                    Get my Book: MODX:The Official Guide
                    MODX info for everyone: http://bobsguides.com/modx.html
                    My MODX Extras
                    Bob's Guides is now hosted at A2 MODX Hosting