HTML Editor Field in Front End throws 403 error on some html tags (but not all)

Silverstripe Version: 4.4


I have a HtmlEditorField on the front end of my site and it shows up, has the limited buttons I want etc, but when I go to submit the form, depending on what Html tags are used I get a 403 error.

These are pretty basic tags like list items, strong, links etc In fact I think it is only allowing paragraphs and spans through.

Have I omitted something I need to make this work properly?

Code in controller…

protected function init() {

Code in template

<script type="text/javascript">
					selector: 'textarea.wysiwyg',
					skin: 'silverstripe',
					menubar: false,
					statusbar: false,
					plugins : 'lists, link',
					toolbar: [
						'undo redo | bold italic underline | alignleft aligncenter alignright | bullist numlist | link'


Hi Vicki,

Often this is to do with permissions, so could be related to the user that is active when you submit the form (a “public” user vs a logged in CMS editor e.g. defaultAdmin).

Another cause could be increased security levels with the server (via mod_security or a WAF such as cloudflare, etc.) which will actively deny HTML as a form of XSS protection. This is a common case on some platforms when the HTML being submitted contains an iframe.

Thanks, it turned out to be the mod_security blocking it.

Hi @vix75 can I ask how you resolved the mod_security blocking please?

Hi John, unfortunately this was about a year and a half ago, so I don’t remember. I don’t even use Silverstripe much anymore and I am not sure what project this relates to, to even go back and look at it.

Sorry I can’t help you.