submitting javascript onclick in links with mod security


I received a problem with someone trying to update their web page using php form posts with an application that has been built.On the linux server mod security was enabled.Mod security can prevent http's in your $_POST requests or as I have learned it can also prevent javascriptm specifically an "onclick()" request in the attribute

We use the ckeditor for anything content being published to a page, however the prior information has embeded onclick() attribute that mod security did not like and prevented the form from reaching the php script.

We removed the onclick() function from the attribute and used ckeditor to enter inject target="_blank" and it worked fine.


relevant info:

2015-11-22 17:53:24gstlouis

406 Error - Not Acceptable

Written by Brad Markle


There are many errors that you may see as you visit different websites across the web. One of the more common ones is the 406 - Not Acceptable error. This article explains the error, what causes it, and how to correct it if it happens on your site.

What is the 406 Error?

Web browsers make a request for information from the server. When this happens, it sends an Accept header. This tells the server in what formats the browser can accept the data. If the server cannot send data in a format requested in the Accept header, the server sends the 406 Not Acceptable error.

The error can also be generated by the mod_security module. Mod_security, a type of firewall program that runs on Apache web server, scans for violations of the rules it has set. If an action occurs that violates one of these rules, the server will throw a 406 error.

What caused this error on my site?

In regards to a site on your hosting account, the cause of the 406 error is usually due to a mod_security rule on the server. Mod_security is a security module in the Apache web server that is enabled by default on all hosting accounts. If a site, page, or function violates one of these rules, server may send the 406 Not Acceptable error.

How can I prevent it?

Mod_security can be turned off. You can also disable specific ModSecurity rulesor disable ModSecurity for each domain individually. If you would likemod_security disabled you can disable mod_security via our Modsec manager plugin in cPanel.

2015-11-22 19:00:58