Wordfence blocks action – error 403 – when trying to update plugin settings

  • Resolved victorpietro

    (@victorpietro)


    3 years, 9 months ago

    Hello, I’ve just installed the plugin and when changing any setting – in this case I’ve just changed Home Breadcrumb “title” property from “Go to %title%.” to something else – and clicking on update button, Wordfence blocks this action and gives me the following error message (403):

    user_name in City, Country left https://website.com.br/wp-admin/options-general.php?page=breadcrumb-navxt and was blocked by firewall for XSS: Cross Site Scripting in POST body: bcn_options=%3Cspan%20property%3D%22itemListElement%22%20typeof%3D%22ListItem%22%3E%3Cspan%20property%3D%22name%… at https://website.com.br/wp-admin/options-general.php?page=breadcrumb-navxt

    Is this normal?

    Thanks in advance.

    • This topic was modified 3 years, 9 months ago by victorpietro.
    • This topic was modified 3 years, 9 months ago by victorpietro.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author John Havlik

    (@mtekk)

    That looks like WordFence is being way too aggressive (unless you actually are trying to set something ‘bad’ in the settings but that doesn’t sound like it’s the case). For whatever reason, WordFence doesn’t seem to like the breadcrumb templates, which are settings that allow some HTML. That said, before the breadcrumb template settings are actually saved, they are run through wp_kses() with a very limited list of allowed tags and attributes. JavaScript of any type (required for XSS) will be stripped out at that stage.

    Thread Starter victorpietro

    (@victorpietro)

    Thanks for clarifying John!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Wordfence blocks action – error 403 – when trying to update plugin settings’ is closed to new replies.