RichText component returns 403 error after upgrading from v13 to v15 #707
Description
Which component is this issue related to?
Umbraco Commerce (Core)
Which Umbraco Commerce version are you using? (Please write the exact version, example: 10.1.0)
15.3.4
Bug summary
After migrating our project from Umbraco 13 to 15, we noticed that pages containing RichText components (specifically of type Umb.PropertyEditorUi.TinyMCE | Umbraco.RichText) started throwing an API error when trying to save changes.
Upon inspecting the network requests, the error occurs on the Validate request, which includes an HTML payload generated by the RichText editor. The server responds with 403 Forbidden.
Specifics
Curiously, when debugging the code, the same request completes successfully with a 200 OK status.
We also tested with a TipTap RichText editor, but the issue persists.
Note:
This issue only started after the upgrade to v15.
During debugging sessions, the validation completes successfully, suggesting it could be a security or permission-related check introduced or modified in v15.
Error message
Payload info
Console Log Errors
User Permissions
Example HTML markup triggering the error:
<p> </p>
<h2>Swing Catalyst Certification</h2>
<p>Discover how the world's top golfers harness ground forces to boost power and consistency in their swings with our Swing Catalyst Certification Program. Whether you're a coach or an avid golfer, understanding ground reaction forces can revolutionize your approach to the game. No special equipment, such as a Swing Catalyst Balance Plate or a 3D Motion Plate, is required to get started.</p>
<p>Guided by Dr. Scott Lynn, Associate Professor at California State University, Fullerton, and Research Director at Swing Catalyst, this program is meticulously designed to demystify the biomechanics of golf. You'll delve into how these principles can enhance swing techniques and help prevent injuries, giving you or your students an undeniable edge.</p>
<h3>The certification is structured into two comprehensive levels:</h3>
<ul>
<li>Level 1: Delivered entirely online, this initial course introduces fundamental biomechanics terms and concepts, such as the differences between mass and pressure shifts (CoM vs CoP). You'll also explore how elite golfers use the Swing Catalyst Balance Plate to maximize power through optimal pressure shifts.<br><br><span style="text-decoration: underline;"><a href="https://www.youtube.com/playlist?list=PLgxA3IJv2lfRv41Tcxqfy9bCssRzEdpzc" data-anchor="?list=PLgxA3IJv2lfRv41Tcxqfy9bCssRzEdpzc">Watch the Video seminar</a> (free)</span><br><span style="text-decoration: underline;"><a href="https://www.classmarker.com/online-test/start/user-info/?quiz=ycp565daf6a9ac0c" data-anchor="?quiz=ycp565daf6a9ac0c">Take the test </a>(free)</span><br><br></li>
<li>Level 2: This one-day seminar, also available as an online webinar, builds on the foundation of Level 1. It offers a deeper dive into the biomechanics of golf, showcasing how the Swing Catalyst 3D Motion Plate visualizes the unseen forces that create a powerful and efficient swing.<br>Join us to elevate your understanding and teaching of golf mechanics.<br><br>
<p>The Level 2 certification provides more in-depth information on ground forces, and aims to explain how vertical, horizontal and torque forces affect the golf swing.</p>
<p><span style="text-decoration: underline;"><a href="https://vimeo.com/ondemand/sclevel2">Watch the Level 2 webinar and take the test ($79)</a></span></p>
</li>
</ul>
<p>Sign up for both Level 1 and Level 2 today and start transforming swings with scientific precision.</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
If I remove these 2 elements it works fine
Steps to reproduce
Saving a page with RichText content triggers a 403 error from the Validate endpoint.
If the RichText field is emptied, saving succeeds.
Expected result / actual result
No response
Dependencies
No response