I have a simple form where people raise IT helpdesk requests (oh, the irony...) and this creates a case in CiviCRM. It's an unsophisticted but cheap helpdesk system for the few requests we get.
A user reported today of being blocked by CloudFlare. On investigation it was because they tried to upload a screenshot of their issue. We have a simple 'upload a file' field and have had no issues in the past. CKEditor and IMCE are not used - just native Drupal.
The rule triggered in CloudFlare is XSS/HTML injection - b910aec795a44492b783da68301de41f from the Managed Ruleset.
I checked myself and on trying to upload a PNG file I get a window pop up with:
This is what I see CloudFlare side:
Checking our submissions, I can see that screenshots were uploaded early September this year, so either this is a Drupal change or a CloudFlare rule tightening.
Any ideas? I could just disable the rule, but that is not a good practice without understanding the issue. We are using Drupal 7.98 with CiviCRM 5.66. We are upgrading to Drupal 10 and I have checked - it also gets triggered on our 9.5x and 10.1.x test systems.
