Merge pull request #1515 from fgsch/fgsch/issue_1514

Drop t:lowercase from 941350

Author: lifeforms

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

@@ -634,7 +634,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+    t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
     msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

util/regression-tests/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml

@@ -0,0 +1,24 @@
+---
+  meta:
+    author: fgsch
+    enabled: true
+    name: 941350.yaml
+    description: Test rule 941350
+  tests:
+    -
+      test_title: 941350-1
+      desc: GH issue #1514
+      stages:
+      -
+        stage:
+          input:
+            dest_addr: 127.0.0.1
+            method: GET
+            port: 80
+            uri: /xx?id=%25252bADw-script%25252bADw-
+            headers:
+              Accept: "*/*"
+              Host: localhost
+              User-Agent: ModSecurity CRS 3 Tests
+          output:
+            log_contains: id "941350"