I lately requested an issue about Light stack not permitting posting of <script> tag via textarea, the request is wiped out through the apache i suppose because the $_Publish, $_GET and $_REQUEST fields are empty.
I had been just wondering so how exactly does wordpress allow customers to include icons, up-to-date template files and make pages utilizing a textarea control that enables <script> tag.

UPDATE I have produced a pastebin entry for that form here: http://pastebin.com/1Jaz9rRz

Essentially it's an auto produced form, I have copy copied and pasted in the source code.


I have moved the code for testing towards the server here: http://www.007softwares.com/testing.php

The shape has been published to itself, i have echoed the $_REQUEST array to determine that which was published. You can observe whenever you just submit the shape, fields are visible so when you type script tag the mistake page seems. Hope this can help.

This really is quite certainly some misguided security mechanism in both your browser, or (much more likely) around the server.

As stated, check Suhosin out using phpinfo():

<?php phpinfo(); ?>

You need to see some reference to the word "Suhosin" or "Hardened PHP" within the resulting output.

Also I would not eliminate mod_security - the errors you say you have when adding the lines crippling it in .htaccess may have another reason. It might for instance be set up that you can't really switch off through .htaccess.

Request your internet host when they have been anything enabled security-smart that could be leading to this.

The Light stack does not care what text is posted using a TEXTAREA. The script/application that receives the shape input might have some logic inside it which kills the procedure whether it sees a SCRIPT tag however in general you are able to submit whatever text you would like.

Your phpinfo() states that string.strip_tags is registered like a stream filter. This can be leading to your problem.

Also, your filter extension might be set up to strip although that is not as likely.

Once the user submits a < p > tag it really works not surprisingly. Once the user submits a < script > tag a 404 is came back. This leads me to think apache is applying mod_security having a configuration much like:

SecFilterDefaultAction "deny,log,status:404"
SecFilter "<script"