Transformation functions
ModSecurity provides a number of transformation functions that you can apply to variables and collections. These transformations are done on a copy of the data being examined, meaning that the original HTTP request or response is never modified. The transformations are done before any rule matching is attempted against the data.
Transformation functions are useful for a variety of purposes. If you want to detect cross-site scripting attacks (see Chapter 6 for more on this), you would want to detect injected JavaScript code regardless of the case it was written in. To do this the transformation function lowercase can be applied and the comparison can then be done against a lowercase string.
To apply a transformation function, you specify t: followed by the name of the function and then put this in the action list for the rule. For example, to convert the request arguments to all-lowercase, you would use t:lowercase, like so:
SecRule ARGS "<script" "deny,t:lowercase...
