Conflict with CRS Rule ID 920470, AJAX Snippet Toggle Encounters HTTP 406 #247
Description
Current behavior
Sites on a platform leveraging a WAF with CRS Rule ID 920470 may have attempts to toggle on/off snippets via the plugin's AJAX-powered buttons encounter HTTP 406.
This is because there’s typo or stripped out semicolon — this conflicts with the header requirements and regex used.
Users visiting /wp-admin/admin.php?page=snippets may be unable to leverage the toggle buttons to activate/deactivate snippets.
When the toggle button's AJAX action is performed to toggle a snippet, it sends a Content-Type header.
application/x-www-form-urlencoded charset=UTF-8
This is missing a semicolon before charset, so the WAF’s rule 920470 flags it as invalid and returns a 406 Not Acceptable.
It should be application/x-www-form-urlencoded; charset=UTF-8
And this can be verified with a simple request.
Invalid, no semicolon -> 406:
curl -i -XPOST \
-H "Content-Type: application/x-www-form-urlencoded charset=UTF-8" \
https://example/wp-admin/admin-ajax.php
HTTP/2 406
Valid, semicolon, no block (returns 400 because this isn’t a proper request but the goal here is to demonstrate it doesn’t get blocked with a 406):
curl -i -XPOST \
-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \
https://example/wp-admin/admin-ajax.php
HTTP/2 400
While seemingly overbearing, the semicolon is not just a requirement to ensure it gets past this WAF rule, it’s a requirement set by the HTTP spec — https://datatracker.ietf.org/doc/html/rfc7231#section-3.1.1
This would need to be fixed wherever this header is being set.
I've not checked much but https://github.com/codesnippetspro/code-snippets/blob/c4b2a57ab0e1ea0fac5357c54d82d6b12ab37558/src/js/services/manage/requests.ts#L14 may be a start
Expected behavior
For the AJAX toggle requests to get a successful HTTP response.
Steps to reproduce
No response
WordPress version
6.8.2
Code Snippets version
3.6.8
Code Snippets license
Core (free)
Anything else?
No response