Description

I am using Coraza as module in Caddy with below directives:

Include @coraza.conf-recommended
		Include @crs-setup.conf.example
		Include @owasp_crs/*.conf
		SecRuleEngine On

When submitting a POST request with img tag request gets 403 with reference to 941160 ID, which does not seem to even be related to img. Tried changing different things in img, but only complete removal of it or leaving it as <img> solves the problem. I get that it should be reacting to img src, meaning, that I probably need to somehow disable or adjust the rule (can I somehow allow src with relative paths only?), but even if I leave <img > - it still matches, although from XSS attack this looks safe (and pointless).

How to reproduce the misbehavior (-> curl call)

For "baseline":

curl -X POST https://sandbox.coreruleset.org/ \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'test=<p><img class="w50pc middle block galleryZoom" src="/assets/images/uploaded/7c/e9/f4/7ce9f467294f6e47f19224acd6d35a63f49079448118d9cc5fe6a326221987e030afd319c17d5f571b3b87adf27024e7983a9709e873ee52b2f24b7d7a9111e9.webp" alt="Dream apartment plan"></p>'

Something that actually seems faulty to me:

curl -X POST https://sandbox.coreruleset.org/ \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'test=<p><img ></p>'

Logs

Curls provided

Your Environment

Using Coraza https://github.com/corazawaf/coraza-caddy, not sure how to see which version is used there

Confirmation

[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.