RichText component returns 403 error after upgrading from v13 to v15

[richardinitial]

Which component is this issue related to?

Umbraco Commerce (Core)

Which Umbraco Commerce version are you using? (Please write the exact version, example: 10.1.0)

15.3.4

Bug summary

After migrating our project from Umbraco 13 to 15, we noticed that pages containing RichText components (specifically of type Umb.PropertyEditorUi.TinyMCE | Umbraco.RichText) started throwing an API error when trying to save changes.

Upon inspecting the network requests, the error occurs on the Validate request, which includes an HTML payload generated by the RichText editor. The server responds with 403 Forbidden.

Specifics

Curiously, when debugging the code, the same request completes successfully with a 200 OK status.

We also tested with a TipTap RichText editor, but the issue persists.

Note:
This issue only started after the upgrade to v15.
During debugging sessions, the validation completes successfully, suggesting it could be a security or permission-related check introduced or modified in v15.

Error message

Payload info

Console Log Errors

User Permissions

Example HTML markup triggering the error:

<p>&nbsp;</p>
<h2>Swing Catalyst Certification</h2>
<p>Discover how the world's top golfers harness ground forces to boost power and consistency in their swings with our Swing Catalyst Certification Program. Whether you're a coach or an avid golfer, understanding ground reaction forces can revolutionize your approach to the game. No special equipment, such as a Swing Catalyst Balance Plate or a 3D Motion Plate, is required to get started.</p>
<p>Guided by Dr. Scott Lynn, Associate Professor at California State University, Fullerton, and Research Director at Swing Catalyst, this program is meticulously designed to demystify the biomechanics of golf. You'll delve into how these principles can enhance swing techniques and help prevent injuries, giving you or your students an undeniable edge.</p>
<h3>The certification is structured into two comprehensive levels:</h3>
<ul>
    <li>Level 1: Delivered entirely online, this initial course introduces fundamental biomechanics terms and concepts, such as the differences between mass and pressure shifts (CoM vs CoP). You'll also explore how elite golfers use the Swing Catalyst Balance Plate to maximize power through optimal pressure shifts.<br><br><span style="text-decoration: underline;"><a href="https://www.youtube.com/playlist?list=PLgxA3IJv2lfRv41Tcxqfy9bCssRzEdpzc" data-anchor="?list=PLgxA3IJv2lfRv41Tcxqfy9bCssRzEdpzc">Watch the Video seminar</a> (free)</span><br><span style="text-decoration: underline;"><a href="https://www.classmarker.com/online-test/start/user-info/?quiz=ycp565daf6a9ac0c" data-anchor="?quiz=ycp565daf6a9ac0c">Take the test </a>(free)</span><br><br></li>
    <li>Level 2: This one-day seminar, also available as an online webinar, builds on the foundation of Level 1. It offers a deeper dive into the biomechanics of golf, showcasing how the Swing Catalyst 3D Motion Plate visualizes the unseen forces that create a powerful and efficient swing.<br>Join us to elevate your understanding and teaching of golf mechanics.<br><br>
        <p>The Level 2 certification provides more in-depth information on ground forces, and aims to explain how vertical, horizontal and torque forces affect the golf swing.</p>
        <p><span style="text-decoration: underline;"><a href="https://vimeo.com/ondemand/sclevel2">Watch the Level 2 webinar and take the test ($79)</a></span></p>
    </li>
</ul>
<p>Sign up for both Level 1 and Level 2 today and start transforming swings with scientific precision.</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>

If I remove these 2 elements it works fine

Steps to reproduce

Saving a page with RichText content triggers a 403 error from the Validate endpoint.
If the RichText field is emptied, saving succeeds.

Expected result / actual result

No response

Dependencies

No response

[umbracotrd]

Hi @richardinitial , does it only fail for old content or it fails even if you re-enter the links from the new RTE?

[richardinitial]

Hi @umbracotrd it happens for both scenarios.

[umbracotrd]

thank you for confirming @richardinitial . After checking I see that the validate request is a part of umbraco cms management apis. It's not an umbraco commerce api. With that being said, I couldn't replicate the error with the example HTML you provided.

Can you try replicating the issue on a simple page type which contains only one rich text editor property? If you can then I suggest you forward this issue to Umbraco CMS repository to get appropriated support.

[richardinitial]

I ran the test you recommended, and only when I create a new page and add the component with the content am I able to save it successfully. I'll forward this to the Umbraco CMS team. Thank you!

Update: I ran the test you recommended, and only when I create a new page and add the component with the content am I able to save it successfully. But after saving it the first time, when I make any changes and try to save again, the error occurs. I'll forward this to the Umbraco CMS team. Thank you!

[umbracotrd]

I'm glad you can reliably reproduce the issue—identifying it is half the battle 💪.
I'll close this for now, but if you find any signs or evidence that Commerce is causing the problem, feel free to reopen this thread.