{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我只想做你的唯一 的问题《403 Forbidden if input contains “script”》','https://www.manongdao.com/q-718763.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am facing one kinda odd problem and I'd appreciate any help.
I am looking to have a page submit a Google Adsense code and then save it to the database (I have a input field to accept GA code and a submit button, very simple form)
The thing is, I always get 403 forbidden when submiting a form, if input field contain "<script>" as a value.
If I try to submit anything else it works fine, but I can't figure out why text must not contain "<script>".
Note: it's not a problem with mysql escape or something similar, it happens even if I comment out complete PHP code. It just seems like POST won't accept this.
Another thing to mention, this problem DOES NOT occurs in localhost (xampp), but only when uploaded to Namecheap hosting.
Any ideas why this happens and how to make a workaround?
Namecheap has probably configured mod_security rules on their servers so to block posts which contain tags as these tags being allowed to be posted back to a webpage opens the door to very serious client side scripting vulnerabilities if the web app doesn't handle this correctly. If the post can even make it to php (which in your case it can't) you should be able to call htmlspecialchars or htmlentities on it to filter these out. If Namecheap is doing this for you and this is a problem then there's not much you can do other than changing hosts as shared hosting doesn't allow you any say over server configuration.
I had this problem, I needed to use tags in the form I was submitting in the admin system (embedding a google adsense ad).
To fix I edited the .htaccess file and added the line SecFilterEngine Off
I only needed to do this temporarily to get the job done & turn it back on when I'm done.