403 error when saving ad with javascript

Not one for queueing up? Get faster support with AdRotate Pro!
The forum is checked a few times per week. With AdRotate Pro you can get answers faster using email support.
More private, more direct and usually a solution within a day! Learn more »

Home Forums AdRotate for WordPress General Support 403 error when saving ad with javascript

This topic contains 6 replies, has 2 voices, and was last updated by  Gwyneth Llewelyn 1 year, 2 months ago.

  • #33780

    Hi there, I’m aware that this might not be a problem with AdRotate at all, but just with my server’s configuration — nevertheless, perhaps you might give me some clues on where to search for a solution.

    I’m using WP 4.8, AdRotate (Free) 4.4, Jetpack 5.1, Wordfence Security 6.3.12, WP Fastest Cache 0.8.7.0 and WP Fastest Cache Premium 1.3.4 (among many others, but I believe these are the relevant ones). The server runs Ubuntu 16.04.2 LTS and as of today it has nginx 1.12.0 built with OpenSSL 1.0.2g and PHP 7.0.18-0ubuntu0.16.04.1 (configured using PHP-FPM), database is MariaDB Ver 15.1 Distrib 10.0.29. My overall webserver configuration tool is ISPConfig 3.1.

    When trying to add or modify an ad which contains JavaScript (or rather even just

    tags), I get a 403 error – Forbidden. There are no errors whatsoever in the logs (I can see the request being made on access.log, but error.log is clean). I have entered the Maintenance tab and added all debug settings to see if I got more information, but there was nothing there — as soon as the page is submitted for adding/modifying an ad, it bombs out with a 403. As per the suggestion on the manual pages, I have whitelisted https://ajdg.solutions/ and 70.32.82.185, even though I have no pro license for AdRotate (yet!).

    I made my tests with Google AdSense first, and as per advice on the page I unchecked ‘Enable click and impression tracking for this advert.’. To make sure it was not just one specific type of JavaScript that had problems, I just typed

    , which is enough to get the 403 error.

    Ads without Javascript in it work flawlessly, either with or without the special %asset%, %image%, etc. tags. AdRotate Switch did not work, possibly also because the ads contained JavaScript (I have used Advertising Manager previously), I don’t know.

    To make sure that the problem is when submitting the form, and not with AdRotate (or the rest of the plugins, configuration, etc.), I manually placed the JavaScript code or Google Adsense in the database entry, using phpMyAdmin. I noticed that the other ad entries (those with static images) were all correctly escaped (e.g.

    <a...>

    ). As expected, this works flawlessly: not only the ad shows correctly on AdRotate, with exactly the JS snippet I had manually inserted (with the live preview fully operational), but it also shows on the pages it is supposed to be shown (after the cache was cleared). No errors are found anywhere. Of course, if I open that ad with JS and try to save it, I get the 403 error again. So the issue is really just when submitting JavaScript via the form — something is hooking into the WP form submission functions and preventing anything with JavaScript to work. I have no idea why, and it might affect other plugins as well (I haven’t tried, since none of the others have anything like a form to submit code…).

    I have not yet disabled all plugins because this is a production site running a few ads for actual customers (even though I’m not making serious money with it, it’s always bad if customers see errors, debug pages, etc.). If you seriously suspect that this has absolutely nothing to do with AdRotate, then the best I can offer is to configure a blank website from scratch and see if just with AdRotate I get the same error — I haven’t done that yet.

    My hope is that this situation is one of those very typical issues that can be simply resolved with, say, an obscure WP setting on wp-config.php like “WP_ALLOW_JAVASCRIPT_INPUT=true” or something absurdly simple like checking a box somewhere on the other plugins (or on AdRotate!) which I have completely missed.

    And just for your reference, I’m testing this out mostly on https://gwynethllewelyn.net because it’s my personal blog and I’m willing to do experiments there, even taking into account there are a few paid ads there; but I have many other websites on the same server, all using AdRotate, all having the same issue.

    Thank you in advance for any insights.

    #33782

    My apologies, things like … were eaten up on the above text. I just saw right now that I was supposed to enclose them in backticks like this:
    Im sorry, but now I cannot edit the post above 🙁

    #33784

    (oh… I see that the word ‘script’ is edited out here, no matter how I try to escape it… all right, I hope the first post still makes sense — just mentally insert script and /script with the appropriate brackets)

    #34019

    Arnan
    Badges:

    AdRotate sets no limitations on scripts like that. And certainly not using 403 error pages.

    A 403 error means you have no access to a page or file on your server. That’s usually done with .htaccess or from your hosting dashboard. .htaccess is, among other things, a access control feature in servers which can be used by security plugins such as Wordfence or Sucuri.

    Perhaps they think the file you’re using is infected with malware (or it actually is).

    #34053

    As mentioned on the original post, I use nginx, which doesn’t use .htaccess files whatsoever. And I hardly believe that a copy & paste of JavaScript from Google’s own backoffice for AdSense (which I access with two-way authentication!) is infected with malware — if so, billions of sites would now be infected too 🙂

    #34354

    Arnan
    Badges:

    I’m not saying Google is spreading Malware, but security software on your server may think it is…

    Nginx does not use htaccess no, but it has access control tools which can cause this.
    I’m not familiar enough with Nginx to say anything useful about that. But it’s just a thing to investigate.

    At any rate, AdRotate (Pro) is not capable of generating 403 error pages. So whatever is causing this, is done by your server. Caused by your server or a (security) tool on it.

    #34458

    Ah! That makes sense! I use WordFence as a security plugin, and this may be limiting input with JavaScript of some sort. I’m aware that it does limit uploading JavaScript, but I never thought that it might be blocking JavaScript in some inputs (I have no problem whatsoever in placing JavaScript on widgets, for example). I will have to research this further, but thanks for the tip!

Viewing 7 posts - 1 through 7 (of 7 total)

The topic ‘403 error when saving ad with javascript’ is closed to new replies.