Error 403 on form submit

I’ve got a problem with a form in the administration area of my website. I use it for changing the displayed HTML text, it is written in PHP and connects to a MySQL database.

echo "<form action=\"index.php?kat=infos&aktion=upd&kategorie=$kategorie\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\">\n";
echo "<table border=\"0\">\n";
echo "<b>$kategorie</b>\n";
echo "<tr><td><b>Information:</b></td><td><textarea name=\"info\" cols=\"50\" rows=\"7\">$info</textarea></td></tr>\n";
echo "<tr><td><input type=\"submit\" value=\"Editieren\" /></td></tr>\n";
echo "</table>\n";
echo "</form>\n";

If i enter some small sentences like “This is a test text only.” and click the submit-button, the index.php accepts the data and inserts it into the database just as it should. But if I enter a longer text like the disclaimer from http://www.juraforum.de/disclaimer_muster/ I get a Error 403 on form submit.
I do not think it is because of the longer text, because if I write some longer random text in there it works, too.

I hope you can help me with this one.

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

The 403 Status Code means:

10.4.4 403 Forbidden

The server understood the request, but
is refusing to fulfill it.
Authorization will not help and the
request SHOULD NOT be repeated. If the
request method was not HEAD and the
server wishes to make public why the
request has not been fulfilled, it
SHOULD describe the reason for the
refusal in the entity. If the server
does not wish to make this information
available to the client, the status
code 404 (Not Found) can be used
instead.

The disclaimer seems to contain several HTML tags and they apparently get printed unescaped on the page.

My wild guess is that there’s a piece of software installed on the server (possibly mod_security) that rejects the input because it considers it’s an attempt to perform a XSS attack. You can confirm (or reject) this hypothesis by temporarily removing the < and > symbols before pasting it into the textarea.

Solution 2

Here’s the solution that works for me:

Apparently mod_security did not like that the name of the textarea was “info”. After changing it to “text” there were no more problems and I can now enter any text I want.

Thank you for your help

Solution 3

Just adding to this to say that I also had this problem and it turned out to be a mod_security rule that false-positived, that caused the problem. The host of the site was able to whitelist the domain against the particular rule. The rule was apparently 211580 – “COMODO WAF: SQL Injection Attack”.

Solution 4

You will get this issue when you submit a form with a url. posting urls might be blocked in server for security reasons.

Solution 5

Had the same problem. Changing the name of the textarea from “info” to something else seemed to work.

Solution 6

I was also suffering with this problem, until I worked out that having a combination of HTML tags and slashes in a <textarea> field caused it. This was also code that was to be inserted into a database.

I was already using mysqli_real_escape_string(), but that didn’t seem to make a difference.

Solution 7

<?php
$text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment" rel="nofollow noreferrer noopener">Other text</a>';
echo strip_tags($text);
echo "\n";

// Allow <p> and <a>
echo strip_tags($text, '<p><a>');
?>

Or

1.Use [strip_tags()][2]
2.Use [HTML Purifier][1] (recommended)


http://www.php.net/manual/en/function.strip-tags.php
http://htmlpurifier.org/

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply