Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter Jeusu

    (@jeusudigital)

    Hi, The issue is not resolved and still exists.

    The problem is the builder loads in pages via ajax and in those pages is code that Wordfence blocks i.e SVG code.

    You can indeed whitelist the action with something like this:
    [‘request.body[properties]’][]

    The problem is you would need to do this for every page on your website as it would trigger again when you tried to load in a different page.

    The developer has now added this to all Ajax request URL’s made by the builder:
    _breakdance_doing_ajax=yes

    The only way I can see the issue being resolved is if a rule is added on plugin side for the Breakdance Builder plugin with a wildcard for any URL that contains the above query parameter.

    There does not seem to be a viable alternative apart from as you mentioned turning off global protections which is not ideal or keep adding IP address as ignore rule.

    Here is the Github issue on it:
    https://github.com/soflyy/breakdance-bugs/issues/608

    It would be good if one of your team could speak to Louis Reingold:
    https://github.com/louisreingold

    And come up with a solution.

    Thanks

    Thread Starter Jeusu

    (@jeusudigital)

    Hi, yes the same happens, as learning mode will only add in the pages you have tried to edit so unless you tried to edit every single page / template you will still be blocked on any page not used during learning mode.

    I have been doing some further testing and it seems this is not specific to the code blocks in the builder but seems to be down to SVG code.

    So if I insert a new code block using the builder and then paste a simple SVG code such as this:

    <svg height="100" width="100">
      <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
      Sorry, your browser does not support inline SVG.  
    </svg> 

    It immediately triggers the block as it tries to render the SVG.
    The same thing happens when I insert any type of icon based block in the builder and set a custom icon.

    It is this rule that is blocking it in /wp-content/wflogs/rules.php line 32

    $this->variables['xssRegex'] = new wfWAFRuleVariable($this, 'xssRegex', '/(?:
    #tags
    (?:\\<|\\+ADw\\-|\\xC2\\xBC)(script|iframe|svg|object|embed|applet|link|style|meta|base|\\/\\/|\\?xml\\-stylesheet)(?:[^\\w]|\\xC2\\xBE)|

    If I remove the SVG part there in the regex it no longer happens.

    Though I imagine having other tags included in that regex would trigger it too.

    • This reply was modified 1 year, 3 months ago by Jeusu.
    • This reply was modified 1 year, 3 months ago by Jeusu.
    Jeusu

    (@jeusudigital)

    Same issue here, does not seem to be clearing cache after auto updates.
    I have added this hook: upgrader_process_complete
    under Cache / Purge / Purge All Hooks

    Will wait and see if it fixes it.

    From what I can see the issue is it looks for the combined CSS and JS cache files under: /wp-content/litespeed/css/ and /wp-content/litespeed/js/ and the files do not exist.

    • This reply was modified 1 year, 11 months ago by Jeusu.
    Jeusu

    (@jeusudigital)

    I have just discovered that Gravity Forms now require an Elite licence to download the Google Analytics add-on costing $259 a year and our Developer licence is now legacy and not able to access it. I hope you do keep this one maintained as at this price point new customers would likely not want to buy and existing would likely not want to pay over twice as much to access a plugin previously free.

Viewing 4 replies - 1 through 4 (of 4 total)