Cross Site Scripting detected by AWS WAF when sending/replying to messages

[berrypatrick01]

Currently we are hosting roundcube 1.6.9 and roundcube 1.6.11 behind elastic load balancers in AWS protected by WAF.

We are currently having an issue where the WAF is detecting Cross Site Scripting payloads from roundcube as well as WindowsShellCommands_Body.

This is the WAF output:
"terminatingRuleMatchDetails": [ { "conditionType": "XSS", "location": "BODY", "matchedData": [ "style", "font-size: 10pt; font-family: Verdana,Geneva,sans-serif;" ], "matchedFieldName": "" } ],

Please can you advise if there are any workarounds, the emails always send if they are sent via HTML. Overriding the compose settings to always send in html in the config does not seem to work either.

[SKaero]

That WAF rule seems overly broad and is matching a style attribute not anything malicious. If you can't disable that rule then the only option I can think of is a plugin to change the default settings on the HTML editor so it doesn't use that font.