Contrib.social

Azure WAF compatibility: node duplication blocked due to HTML in field values

Open on Drupal.org โ†’
Created on 15 May 2025, 6 days ago

Problem/Motivation

When using a fresh Drupal 11 CMS installation on Azure App Service with Azure Web Application Firewall (WAF) enabled, we encountered a compatibility issue during node duplication.

Using a URL like: 

/node/add/news?duplicate=10&destination=/admin/content

The request is blocked by Azure WAF if the original node contains HTML content (e.g., <p>...</p>) in a field such as body or any rich text field. The WAF logs show that the request is flagged as malicious due to: 

Matched Data: <p>Drupal has long been a go-to content management system ... found within ARGS:field_content[0][value]

This occurs without any contributed modules, on a default Drupal 11 installation.

Expected Behavior

Node duplication should function normally. Valid HTML content entered via the UI should not trigger WAF blocks, as it is legitimate user input handled by Drupalโ€™s form API.

Actual Behavior

Azure WAF blocks the request, misinterpreting valid HTML as a potential cross-site scripting (XSS) attack or other threat, due to deep inspection of POST/GET arguments.

Workaround

We had to manually add a WAF rule exception to allow this traffic, but this may not be feasible or secure for all sites.

Proposed Resolution

  • This may not be a core bug, but i'm opening this issue to raise awareness of Azure WAF compatibility concerns with Drupalโ€™s node duplication flow.
  • Explore whether the duplication logic (e.g., via GET parameters) could be adjusted or optionally moved to POST to avoid false positives from WAF systems, not sure where the Duplicate logic is located with quick search in the code i not found module for that.
  • Consider documenting WAF compatibility best practices for Drupal sites in official documentation.

Environment

  • Drupal version: 11.x (latest release)
  • Hosting: Azure App Service
  • WAF: Azure Web Application Firewall (Default OWASP ruleset)
๐Ÿ› Bug report
Status

Active

Component

General

Created by

๐Ÿ‡ฎ๐Ÿ‡นItaly bigbabert Milano, Italy

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @bigbabert
  • Comment 6 days ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts

    This sounds like it is a generalized Drupal core problem, not really Drupal CMS-specific, so moving to core's queue, at least for now.

  • Comment 6 days ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts

    Actually, scratch that. Core doesn't support duplication, but Drupal CMS does, so this is our problem.

  • Comment 5 days ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States kentr Durango, CO

    Not sure if it's related, but I have seen a WAF block the saving of new nodes on a standard Drupal installation (core + various contrib).

    I'm not implying that this is a core issue, just to provide info that might help resolution.

    In my case, it was Apache mod_security. The workaround was to save a blank node and then add the content by editing the node. The WAF did not block the save operation upon editing.

    I don't remember what the content of the node was.

  • Comment 5 days ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡นItaly bigbabert Milano, Italy

    In my tests the issue was only happening duplicating demo content not with new or edit node save

  • Comment 2 days ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡นItaly bigbabert Milano, Italy

    Notice same issue here: /it/node/2/translations/add/en/it

    Azure WAF respond with 403:


    403 Forbidden

    Microsoft-Azure-Application-Gateway/v2
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024