Error Loading Block – jcifree-block-script 403 forbidden

  • Resolved mikehues

    (@mikehues)


    1 year, 11 months ago

    I’ve setup a block that is pulling job listings from a Palocity api. Everything works fine in my local dev site. But, I get errors on the stage and production sites on WPEngine. The page displays fine on the front end. However, when trying to edit the page with the block editor, I get this message:

    Error loading block: The response is not a valid JSON response.

    I see a 403 error in the console for this file:

    /wp-json/wp/v2/block-renderer/jci/jcifree-block-script

    Here is the stacktrace:

    T @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    l @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    O @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    o @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    O.method.r @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    o @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    t @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    v @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    A @ https://replaced-domain.com/wp-includes/js/dist/api-fetch.min.js?ver=bc0029ca2c943aec5311:2
    R @ https://replaced-domain.com/wp-includes/js/dist/server-side-render.min.js?ver=d1bc93277666143a3f5e:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/server-side-render.min.js?ver=d1bc93277666143a3f5e:2
    Ir @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    xl @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    Sl @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    cl @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    zn @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    a @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:2
    u @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/edit-post.min.js?ver=d098b8ee5bdffa238c03:7
    f @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:9
    l @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:2
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:9
    p @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:9
    (anonymous) @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:9
    $e @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:9
    Be @ https://replaced-domain.com/wp-includes/js/dist/data.min.js?ver=90cebfec01d1a3f0368e:9
    xo @ https://replaced-domain.com/wp-includes/js/dist/edit-post.min.js?ver=d098b8ee5bdffa238c03:7
    kt @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    js @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    kl @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    yl @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    vl @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    ul @ https://replaced-domain.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0:10
    v @ https://replaced-domain.com/wp-includes/js/dist/vendor/react.min.js?ver=18.2.0:10
    ce @ https://replaced-domain.com/wp-includes/js/dist/vendor/react.min.js?ver=18.2.0:10
    A. @ https://replaced-domain.com/wp-admin/load-scripts.php?c=0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,jquery-ui-core,wp-polyfill-inert,regenerator-runtime,wp-polyfill,wp-hooks&ver=6.2:125
    P @ https://replaced-domain.com/wp-admin/load-scripts.php?c=0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,jquery-ui-core,wp-polyfill-inert,regenerator-runtime,wp-polyfill,wp-hooks&ver=6.2:125
    E @ https://replaced-domain.com/wp-admin/load-scripts.php?c=0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,jquery-ui-core,wp-polyfill-inert,regenerator-runtime,wp-polyfill,wp-hooks&ver=6.2:125

    This is the template that is throwing the error:

    {subloop-array:jobs:-1}
<div class="job-feed-listing checkbox-accordion">
	<input type="checkbox" id="job-{jobs.jobId}" />
	<label for="job-{jobs.jobId}">
		<h4>{jobs.title} </h4>
		<span class="job-location">
   		{subloop:jobs.jobLocation:-1}
			{jobs.jobLocation.city:ifNotEmptyAddRight:, }{jobs.jobLocation.state}
   		{/subloop:jobs.jobLocation}
		</span>
	</label>
	<article>
   		{subloop:jobs.jobLocation:-1}
			<p><a  target="_blank">{jobs.jobLocation.city:ifNotEmptyAddRight:, }{jobs.jobLocation.state}</a></p>
   		{/subloop:jobs.jobLocation}
   		{subloop-array:jobs.jobTypesArray:1}
			<h4>Job Type:</h4>
			{0}
   		{/subloop-array:jobs.jobTypesArray}
		<h4>Description</h4>
		<div class="job-description">{jobs.description:html}</div>
		<h4>Requirements</h4>
		<div class="job-requirements">{jobs.requirements:html}</div>
		<a class="button" href="{jobs.applyUrl}" target="_blank">Apply for {jobs.title}</a>
	</article>
</div>
{/subloop-array:jobs}

    I can get simpler templates to work without errors. For example, if I delete the two lines that contain the word “description”, the error goes away.

    I reached out to my hosting company, but they were unable to resolve the issue. They suggested reaching out to the plugin author for help.

    I’m hoping that you can provide some information or guidance on how to debug this issue.

    thanks,

    Mike

Viewing 10 replies - 1 through 10 (of 10 total)
  • Thread Starter mikehues

    (@mikehues)

    I did a few more tests with some simpler template strings.

    This works:

    script<br>

    This throws the error:

    <br>script<br>

    and so does this:

    <script>

    So, it appears there is an issue with the template string including something that looks like a potential script tag. I hope this information is helpful.

    Mike

    Plugin Author berkux

    (@berkux)

    Hi Mike,

    a 403 error is usually a missing authentication when retrieving the JSON from an URL. This would mean, that some username, passwort or something like this has to be added.

    If you like, you can post the URL in private via
    https://jsoncontentimporter.freshdesk.com/widgets/feedback_widget/new?searchArea=no

    About the “description” and “script”: When you can’t retrive the JSON there is nothing to display. Or is this another question?

    Bernhard

    Thread Starter mikehues

    (@mikehues)

    Hi Bernhard,

    I shared the api url through the link you provided. The api does not require authentication.

    The plugin works perfectly on my local development site. But, when I try it on the stage and production sites (which are hosted on WPEngine) I get errors when I edit the page in the block editor. However, the content is successfully pulled from the api and displayed on the front end when viewing the page.

    Regarding the words “description” and “script” – as long as the template field does not contain these words, the plugin works as expected. I can pull the job titles, location info, requirements, etc from the api and everything works fine. It’s only when I add the job description to the template that I see the error in the block editor.

    With further testing, I noticed that it is actually the word “script” appearing between “<” and “>” that seems to cause the error. If the template field contains “<script>” or “<br>script<br>” or “<h3>Description</h3>”, the 403 error occurs.

    I hope this makes the issue more clear. Thanks for your help.

    Mike

    Plugin Author berkux

    (@berkux)

    Hi Mike,

    with free test gut-block – demo.json-content-importer.com I used the sent API-JSON-URL and added <script>alert(‘hello’);</script> to the free JSON Block. I can’t see a problem like 403.

    If you switch on the debugmode in the JCI-block you should see the grabbed JSON and the rendered data.
    As I can’t reproduce the problem: Maybe a temporary access to your testsite at WPEngine is an option. If so post me accessdata at the freshdesk-ticketsystem please.

    Bernhard

    • This reply was modified 1 year, 10 months ago by berkux.
    Thread Starter mikehues

    (@mikehues)

    Hi Bernhard,

    In an attempt to narrow down the cause of my issue, I’ve set up a new test site. It’s a fresh install of WordPress with only JCI installed. Here are some more stats:

    • WordPress 6.2
    • Twenty Twenty Three 1.1
    • JSON Content Importer 1.3.17
    • PHP 8.0.28
    • There are 2 Drop-ins and 5 Must Use Plugins listed in Site Health > Info

    I created a test page that contains only a single JCI block -https://muirwooddev.wpengine.com/?page_id=5

    I left the default settings of the block and enabled debug mode. I also added the word “script” to the end of the Template To Use For JSON field. The page currently works as expected. To reproduce the error, type a “>” after the word script. When the block tries to autoupdate it’s contents, the 403 error is thrown.

    I will share access with you in the freshdesk-ticketsystem.

    I will also notify my hosting company of the new simpler test so their support team can have another shot at debugging the issue on their end.

    Thanks again for your help.

    Mike

    Plugin Author berkux

    (@berkux)

    Hi,

    ok, I stated investigating this. My findings:
    OK-URL: https://muirwooddev.wpengine.com/index.php?rest_route=/wp/v2/block-renderer/jci/jcifree-block-script&attributes%5Btemplate%5D=ascript>a
    NOT-OK-URL:
    403 Forbidden (wpengine.com)

    Difference is a <
    I continue exploring this.

    Bernhard

    Plugin Author berkux

    (@berkux)

    And: It’s completely independent of the JCI-Plugin (403 event with a deactivated JCI Plugin):
    https://muirwooddev.wpengine.com/index.php?rest_route=/wp/v2/block-renderer/&attributes%5Btemplate%5D=a%3Cscript%3Ea

    I’ll check if an idea for an workarround will work.

    Thread Starter mikehues

    (@mikehues)

    Thanks Bernhard. I’ll pass this information along to my hosting company and see what they find.

    Mike

    Plugin Author berkux

    (@berkux)

    My guess is that some settings at wpengine try to filer out <script> and this crashes the JSON.
    If installed a beta version of the comning new JCI-free on your website.
    There in the block (not in the shortcode way) this works:

    start: {start}<br>{subloop-array:level2:-1}level2: {level2.key}<br>{subloop:level2.data:-1}id: {level2.data.id}, type: {level2.data.type}<br>{/subloop:level2.data}{/subloop-array:level2}
#LT#script#GT#alert('hi');
#LT#/script#GT#

    #LT# is replaced by <, #GT# by >

    Bernhard

    Thread Starter mikehues

    (@mikehues)

    Hi Bernhard,

    WPEngine finally confirmed that they have security measures in place that filter out <script>. It is a system wide rule that they are unable to remove. Fortunately, the plugin is working perfectly on the front end. It is only a small inconvenience to work around the error in the editor.

    I appreciate all your help with this issue.

    thanks,

    Mike

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Error Loading Block – jcifree-block-script 403 forbidden’ is closed to new replies.