L3Y Posted June 23, 2015 Report Share Posted June 23, 2015 Hi, The integrated support manager in Blesta is very nice. BUT : if you enable the plugin, then you need to disable many mod_security / naxsi rules just to be able to post a couple of lines in a ticket. Customers want to send very long codes, and you may ask them to send stuff like email sources, debug codes, etc... It can take a lot of time and efforts before you get a stable and secure set of mod_security / naxsi rules. We all know blesta is very secure, but it's always better to use an application firewall, like mod_security or naxsi. However, doing this can turn into a nightmare. While trying to submit codes, or any other content with special characters, your customers may see 503 error codes. That's not beautiful Some peoples may end up by doing stupid things like completely disabling mod_security while they should not. Other peoples will simply start disabling everything they see in the logs. They may disable too many rules, or whitelist too many ip's. I found a very good way to avoid 503 errors, while keeping most of your naxsi / mod_security rules intact. With theses little changes in your files, your customers will be able to copy/paste and type everything they want in a ticket textfield or subject line, and you won't need to disable all your rules. I can use the support manager plugin with only a couple rules disabled, in fact. You can re-enable most of your rules for the support plugin paths, by doing this : 1) Go to the support_manager plugin folder and open /views/default/client_tickets_reply.pdt Add the following at the end of the file, just after the ?> <script>function deleteextra() { var initVal = $(this).val(); outputVal = initVal.replace(/[^0-9a-zA-Z\n\/'@-]/g," "); if (initVal != outputVal) { $(this).val(outputVal); } }; $().ready(function(){ $("#summary").keyup(deleteextra).blur(deleteextra); $("textarea").keyup(deleteextra).blur(deleteextra); }); </script> 2) do the same in client_tickets_add.pdt And voilà You are now able to use mod_security with the support manager, on client side - you may also do the same on the admin side (in admin_tickets_add.pdt and admin_tickets_reply.pdt) What it does? When a customer will copy and paste, or type something in the ticket reply or ticket add textarea the unwanted special characters will just disappear before the ticket is submitted. It will only keep the following : @.-_ It will also remove the http:// and https:// before an url, to make sure your staff won't click on any link by mistake. i love jquery! You may want to adapt the regex to your requirements, but this work fine for us. I hope this will help someone! PauloV, Paul, mrrsm and 2 others 5 Quote Link to comment Share on other sites More sharing options...
Paul Posted June 23, 2015 Report Share Posted June 23, 2015 Nice, looks very interesting! Thanks for the contribution! Quote Link to comment Share on other sites More sharing options...
PauloV Posted June 23, 2015 Report Share Posted June 23, 2015 Thanks carl, very usefull Quote Link to comment Share on other sites More sharing options...
serge Posted June 28, 2015 Report Share Posted June 28, 2015 not a lover of mod_security, but very good contribution and same kind of code can be used for custom form having specific string/syntax validation rules. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.