"Updating failed" when trying to save / publish post containing phrases that are certain SQL commands (solved by sending some API requests as a JSON blob instead of form encoded data to try to avoid triggering some modsec rules, see 5971) #5675
Description
Issue Overview
Ever since Gutenberg 2.3 (though I can't confirm whether or not the issue was happening before that) and still in 2.4, I've had this rather unusual issue where I couldn't save / publish posts containing this phrase:
select from
Trying to save a post containing this text would fail and the "Updating failed" notification would appear.
For example, if I made a post like the following, I would be unable to save it:
Actually, it's worse than that. I could have any number of words in between the "select" and "from", as well as have the words in different paragraphs, and the post would still fail to save:
https://pastebin.com/fwiKSt9F
https://pastebin.com/rYHbK1JT
You can even have the words "select" and "from" right next to each other as "selectfrom" and it will fail to save:
https://pastebin.com/53n3sTNm
Note that the words "select" and "from" have to be typed in lowercase. Making either or both of them uppercase or mixed case will not trigger the error.
I made sure to test this with no plugins (except Gutenberg obviously) enabled, and using the Twenty Seventeen theme. I have tested this with both posts and pages, but not any custom post types, though I assume the error would occur with all post types when using the Gutenberg editor. Also, this phrase does not cause an error when using the Classic Editor. I also tested this with a Divi theme and an old theme built with Artisteer, and I got the same error on all of them. Also, I am using HTTPS on my websites and I am not using Cloudflare. (There have been some issues reported in the past where Cloudflare was being used, but that's not the case for me, and I also seem to be having different errors than them. I couldn't find anyone who was getting 500 errors.)
Here's what my JavaScript Console looks like on Chromium after trying to save a post containing the phrase of death:
load-scripts.php?c=1&load[]=jquery-core,jquery-migrate,utils&ver=4.9.4:9 JQMIGRATE: Migrate is installed, version 1.4.1 load-scripts.php?c=1&load[]=jquery-core,jquery-migrate,utils&ver=4.9.4:4 PUT http://supergeniuszeb.com/wp-json/wp/v2/posts/9067 500 (Internal Server Error) send @ load-scripts.php?c=1&load[]=jquery-core,jquery-migrate,utils&ver=4.9.4:4 ajax @ load-scripts.php?c=1&load[]=jquery-core,jquery-migrate,utils&ver=4.9.4:4 b @ api-request.min.js?ver=4.9.4:1 REQUEST_POST_UPDATE @ index.js?ver=1521053961:11 (anonymous) @ index.js?ver=1521053961:11 (anonymous) @ index.js?ver=1521053961:6 Le @ react-dom.min.3583f8be.js:92 invokeGuardedCallback @ react-dom.min.3583f8be.js:91 invokeGuardedCallbackAndCatchFirstError @ react-dom.min.3583f8be.js:91 cd @ react-dom.min.3583f8be.js:15 Me @ react-dom.min.3583f8be.js:94 af @ react-dom.min.3583f8be.js:94 da @ react-dom.min.3583f8be.js:16 Zb @ react-dom.min.3583f8be.js:17 pb @ react-dom.min.3583f8be.js:123 yf @ react-dom.min.3583f8be.js:34 batchedUpdates @ react-dom.min.3583f8be.js:169 cc @ react-dom.min.3583f8be.js:26 jc @ react-dom.min.3583f8be.js:35
Interestingly, the PUT request with the 500 error does not show up in the JavaScript console on Firefox Nightly. (The post still fails to save and gives the same "Updating failed" notification, though.) Not sure if that's a bug in Nightly or just a difference between Firefox and Chromium/Chrome.
Steps to Reproduce (for bugs)
- Create a new post.
- Put the phrase "select from" into a paragraph.
- Feel free to put any number of words in between and around those words, or even put them in separate paragraphs.
- Try saving the draft or publishing the post.
- The post will not save and you will get the "Updating failed" notification.
Expected Behavior
The post should save properly and shouldn't give any HTTP status code 500 errors.
Current Behavior
Trying to save a post containing the word "select" followed by the word "from" will not work, and the "Updating failed" notification will appear. An HTTP status code 500 error will occur.
Possible Solution
The phrase "select from" sounds like code to me. I suspect this has something to do with how the parsing of the document is handled by the Gutenberg editor. Perhaps the parser misinterprets the phrase as code that is supposed to be executed? And apparently it somehow manages to misinterpret it even if there are tons of words between the "select" and "from".
Activity