Web Application Firewall and Telerik RadEditor Control

waf

#1

We use the Cloudflare service for a site that uses Telerik RadEditor (rich text web editor) controls on several pages. When the Cloudflare web application firewall is turned on, a POST with HTML in a RadEditor control triggers several XSS and SQL Injection rules in the web application firewall. There were so many false positives that the web application firewall was immediately turned off.

I would think this would be an issue not just for the Telerik RadEditor control, but any CMS site which uses Cloudflare with the web application firewall turned on.

Does anyone have experience resolving this issue by either changing the settings/configuration of the RadEditor controls, or by tweaking the Cloudflare Web Application Firewall rules?

Thanks