HTML Editor Field in Front End throws 403 error on some html tags (but not all)

Questions
,
1

Silverstripe Version: 4.4

Question:

I have a HtmlEditorField on the front end of my site and it shows up, has the limited buttons I want etc, but when I go to submit the form, depending on what Html tags are used I get a 403 error.

These are pretty basic tags like list items, strong, links etc In fact I think it is only allowing paragraphs and spans through.

Have I omitted something I need to make this work properly?

Code in controller…

protected function init() {
            parent::init();
            Requirements::javascript('silverstripe/admin:thirdparty/tinymce/tinymce.min.js');
            Requirements::css('silverstripe/admin:client/dist/styles/editor.css');
        }

Code in template

<script type="text/javascript">
			tinyMCE.init({
					selector: 'textarea.wysiwyg',
					skin: 'silverstripe',
					menubar: false,
					statusbar: false,
					plugins : 'lists, link',
					toolbar: [
						'undo redo | bold italic underline | alignleft aligncenter alignright | bullist numlist | link'
					],
			});
	</script>

Thanks

2

Hi Vicki,

Often this is to do with permissions, so could be related to the user that is active when you submit the form (a “public” user vs a logged in CMS editor e.g. defaultAdmin).

Another cause could be increased security levels with the server (via mod_security or a WAF such as cloudflare, etc.) which will actively deny HTML as a form of XSS protection. This is a common case on some platforms when the HTML being submitted contains an iframe.

3

Thanks, it turned out to be the mod_security blocking it.

4

Hi @vix75 can I ask how you resolved the mod_security blocking please?

5

Hi John, unfortunately this was about a year and a half ago, so I don’t remember. I don’t even use Silverstripe much anymore and I am not sure what project this relates to, to even go back and look at it.

Sorry I can’t help you.