WAF deteting Unicode character bypass

[CIMEOS]

Hi,
we recently configured a WAF on our servers and it is blocking any request containing unicode characters with the message : Possible Unicode character bypass detected.

Example of blocked request content where "\u00e9" should be "é" :
"info\":1,\"new\":1,\"dragdrop\":1,\"sort\":1,\"hide\":1,\"delete\":1,\"localize\":1},\"levelLinksPosition\":\"top\",\"newRecordLinkTitle\":\"Cr\\u00e9er un bouton\",\"showAllLocalizationLi"

From what we saw, errors can be triggered while saving mask configuration or in content editing (BE) like adding an item in a section field type.

Tested on typo3v12 and typo3v13

[nhovratov]

Could you please specifiy, which request specifically is causing the WAF error? Normally the unicode escaped characters from the JSON are always decoded. I don't see where they are transferred like this in any request.

[CIMEOS]

Hi!
The issue occurs when you configure a newRecordLinkTitle. Then, when trying to edit the corresponding mask content, the entire request fails with the error shown in my previous post.
This error is not triggered when you edit a Mask configuration. It is triggered when you edit a Mask content_element that has sections. If the "New content" label contains accentuated characters such as é or à, WAF triggers an error because they are escaped.

[CIMEOS]

Here is a mask configuration example : accent_characters.json