We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered Mod_Security and connectors/index.php

    • 38142
    • 91 Posts
    cottagestuff Reply #1, 8 years, 7 months ago
    Two websites upgraded to MODX Revo 2.4 triggered a Mod_Security rule making it impossible to save changes to elements (not resources, this time). Attempts to save changes, e.g. to chunks, make the screen go white except for the Save and Duplicate buttons that remain visible. Screen refresh shows that the changes were not saved. Nothing in the error log. Quick updates work; normal unquick changes do not.

    The hosting company says the rule triggered is the same for both websites:

    Request: POST /connectors/index.php
    Action Description: Access denied with code 403 (phase 2).
    Justification: Match of "contains google_ad" against "MATCHED_VAR" required.

    Is there something I need to do with the MODX installation to stop this happening?

    This question has been answered by sottwell. See the first response.

      • 38142
      • 91 Posts
      cottagestuff Reply #2, 8 years, 7 months ago
      Turns out the problem was caused by the presence of a script in a chunk - a script to do a little Rot13 obfuscation of an email address to be displayed in the website footer: 

      <p>For enquiries click to email us at: 
<script type="text/javascript">
    Rot13.write(' <n uers="znvygb:[email protected]?fhowrpg=Ivyyn Fgevnab jrofvgr radhvel">[email protected]</n>');
</script></p>


      Deleting that meant the chunk could be saved and other alterations could be made.

      Problem now is that no scripts can be included in chunks. Even a completely empty opening script tag (no reference to a .js file and no closing tag) trigger the white screen and nothing is saved. So replacing the above with: 
      <script src="js/email.js"></script>

      in the chunk leaves the chunk unsaveable. The workaround is to use this in the footer chunk: 
      <p>For enquiries click to email us at: <scri[[$email-js]]</p>

      And this in the email-js chunk:
      pt src="js/email.js"></script>

      Both of those chunks can be saved normally.

      Is there something in the MODX installation that needs to be changed?
      [ed. note: cottagestuff last edited this post 8 years, 7 months ago.]
      • discuss.answer
        sottwell Reply #3, 8 years, 7 months ago
        No, this is the result of strict settings in your hosting provider's mod_security. They can forbid any number of things appearing in submitted forms, such as iFrame code, script tags, and even certain words like "casino". There's nothing that MODX can do about that.

        You can use a snippet to insert javascript tags and code using the $modx->regClientScript() and $modx->regClientStartupScript() functions. The functions will automatically insert the script tags in the output without your having to have them in the actual snippet.
        $script = "assets/js/my.js";
$modx->regClientScript($script);

        will insert the necessary tags into the output at the bottom of the page, just before the closing </body> tag.
        <script src="assets/js/my.js"></script>
          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
          • 38142
          • 91 Posts
          cottagestuff Reply #4, 8 years, 7 months ago
          Thank you, Susan, for a very informative and helpful reply.
            • 24374
            • 322 Posts
            rainbowtiger Reply #5, 8 years, 6 months ago
            Ask your hosting provider to turn off mod_security for your site, or at least the rules that are getting triggered. I do this all the time.