HTML Editor Field in Front End throws 403 error on some html tags (but not all)

<%- if @topic_view.topic.tags.present? %>
<%= t 'js.tagging.tags' %>: <%- @topic_view.topic.tags.each do |t| %> <%= t %> <%- end %>
<% end %>

Silverstripe Version: 4.4

Question:

I have a HtmlEditorField on the front end of my site and it shows up, has the limited buttons I want etc, but when I go to submit the form, depending on what Html tags are used I get a 403 error.

These are pretty basic tags like list items, strong, links etc In fact I think it is only allowing paragraphs and spans through.

Have I omitted something I need to make this work properly?

Code in controller…

protected function init() {
            parent::init();
            Requirements::javascript('silverstripe/admin:thirdparty/tinymce/tinymce.min.js');
            Requirements::css('silverstripe/admin:client/dist/styles/editor.css');
        }

Code in template

<script type="text/javascript">
			tinyMCE.init({
					selector: 'textarea.wysiwyg',
					skin: 'silverstripe',
					menubar: false,
					statusbar: false,
					plugins : 'lists, link',
					toolbar: [
						'undo redo | bold italic underline | alignleft aligncenter alignright | bullist numlist | link'
					],
			});
	</script>

Thanks

Hi Vicki,

Often this is to do with permissions, so could be related to the user that is active when you submit the form (a “public” user vs a logged in CMS editor e.g. defaultAdmin).

Another cause could be increased security levels with the server (via mod_security or a WAF such as cloudflare, etc.) which will actively deny HTML as a form of XSS protection. This is a common case on some platforms when the HTML being submitted contains an iframe.