Saving content not possible in some circumstances

[texnixe]

This issue has been reported multiple times, see https://forum.getkirby.com/t/an-unexpected-error-occurred-when-editing-saving-content-even-as-admin/7185

[fabianmichael]

I had the same issue a few days ago on a client server and I think, I've got some bad news on this. The site has been working for several years and suddenly it stopped working. Apparently, there is a nice little software called mod_security and maybe others, that are meant to improve server security by filtering POST requests for suspicious content (We are not 100% sure, if it’s mod_security that blocks the requests, as the provider denies that it is active. However, there’s a ton of articles about similar issues caused by mod_sercurity allover the web).

In our case, the "An unexpected error occured."-message thrown by the panel’s JS was accompanied by a 403 response error page from the server. That means, the request did not even make it to Kirby/PHP, but was rejected by the server (Apache) or one of its components itself. As the error only occured on some panel pages, so we tried to alter the request to find out what’s wrong and which of those requests are causing a security error.

It turned out that it only happends, when the any of the fields contains HTML code. If your site contains any WYSIWYG editor field, a field for inserting a tracking code or basically any social media embed your are out of luck. Unfortunately the hosting provider’s support does neither seem to be very motivated nor skilled enough to dig into the issue. The filtering on this server is so aggressive, that it even blocks GET requests as soon as there’s a single HTML tag in any parameter (eve harmless things like <strong>. I could somewhat understand, if you want to block <script> tags, but blocking any HTML just sounds insane to me as this affects any CMS or web application. As a developer, you would need some serious hacking to get around this, the only solution I could think of was to encode all data sent to the server into base64 or similar. But that might make the request even look more suspicious and could be added to the filter in an update of the component that blocks all these requests.

In our case, the probably have to look for another provider to fix this …

[shoesforindustry]

We have also had the same problem, it was the Apache module mod_security blocking the save but only when HTML was in the saved page - a simple link would do it.

You can get your host admin, or if you can do it yourself, alter the rules for mod_security. If allowed I think you can even set some prams via .httaccess. Scour the server logs to see which rules are being triggered, the link below may help: https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/

I believe mod_security rules are run through in order, so white listing one can sometimes mean one further down the chain gets triggered instead, so worth a reboot and check ;-)