I have updated to symfony 6.4 and suddenly I can't save any form with a textarea that has a new line or any html code like <p>. When I write a single line that doesn't wrap, the form submits successfully.
I'm getting a 403 forbidden error
Sometimes when I submit a form without using ajax (with render and form) I get 503 error when submitting a form for the second time, and I have to delete cache in order to submit successfully.
However, for 403 error, I can't do anything to submit it with a new line or any html code.
Here's one example of the code that causes 403:
#[Route(path: '/ajax/save/new', name: 'new_lesson_plan')]
public function newLessonPlan(
LessonPlanRepository $lessonPlanRepo,
Request $request,
SessionRepository $sessionRepo,
Mailer $mailer,
SendSms $sendSms,
ShortenUrl $shortenUrl,
Environment $twig
): Response {
$new_stuff = $request->request->get('new_stuff');
$finger_exercises = $request->request->get('finger_exercises');
$previous_pieces = $request->request->get('previous_pieces');
$current_piece = $request->request->get('current_piece');
$techniques_reinforced = $request->request->get('techniques_reinforced');
$extend_to_learn = $request->request->get('extend_to_learn');
$print_out = $request->request->get('print_out');
$assignment_for_student = $request->request->get('assignment_for_student');
$modify = $request->request->get('modify');
$sess_id = $request->request->get('session_id');
$session = $sessionRepo->findOneById($sess_id);
$activity_string = "";
$activity_string .= "<h3>Warm-up</h3>";
$activity_string .= "<p>" . nl2br($finger_exercises) . "</p>";
$activity_string .= "<h3>Repertoire</h3>";
$activity_string .= "<p>" . nl2br($previous_pieces) . "</p>";
$activity_string .= "<h3>Creative</h3>";
$activity_string .= "<p> Learn: " . nl2br($new_stuff) . "</p>";
$activity_string .= "<h3>Current piece: " . $current_piece . "</h3>";
$activity_string .= "<p> This piece will reinforce the following: ". $techniques_reinforced .". I intend to do " . $extend_to_learn . "</p>";
$activity_string .= "<h3>Print outs</h3>";
$activity_string .= "<p>" . $print_out . "</p>";
$activity_string .= "<h3>Assignment</h3>";
$activity_string .= "<p>" . nl2br($assignment_for_student) . "</p>";
if($modify == 'false') {
$lessonPlan = new LessonPlan();
$lp = 'Lesson Plan';
} else {
$lessonPlan = $lessonPlanRepo->findOneBySession($session);
$lp = 'Assessed Lesson Plan';
}
$lessonPlan->setAddedOn($session->getBeginAt());
$lessonPlan->setSession($session);
$lessonPlan->setStudent($session->getStudent());
$lessonPlan->setAddedOn(new \Datetime());
$lessonPlan->setWork($new_stuff);
$lessonPlan->setActivities($activity_string);
$entityManager = $this->managerRegistry->getManager();
$entityManager->persist($lessonPlan);
$entityManager->flush();
$student = $lessonPlan->getStudent();
$teacher = $session->getTeacher();
$html = $twig->render('pdf/student_lesson_plan.html.twig', [
'session' => $session,
'lesson_plan' => $lessonPlan,
]);
$uigName = explode("-", (string) $session->getUserInstrumentGrade())[0];
$urlShort = $shortenUrl...;
$sendSms->quickSend...;
$mailer->sendEmailWithAttachment(...);
$this->addFlash(
'success',
'The lesson plan was sent successfully.'
);
return new JsonResponse($sess_id);
}
I have pasted the whole function because I don't know if any of the lines is causing the issue.
And here's the controller for the form:
#[Route(path: '/new/for/{session_id}', name: 'lesson_plan_new', methods: ['GET', 'POST'])]
public function new(Request $request, SessionRepository $sessionRepo, UserInstrumentGradeRepository $uigRepo, LessonPlanRepository $lessonPlanRepo, $session_id): Response
{
$this->denyAccessUnlessGranted('IS_AUTHENTICATED_REMEMBERED');
$session = $sessionRepo->findOneById($session_id);
$lessonPlan = new LessonPlan();
$uig = $session->getUserInstrumentGrade();
$sessions = $uig->getSessions();
$lessonPlan->setAddedOn($session->getBeginAt());
$form = $this->createForm(LessonPlanType::class, $lessonPlan);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
$lessonPlan->setSession($session);
$lessonPlan->setStudent($session->getStudent());
$lessonPlan->setAddedOn(new \Datetime());
$entityManager = $this->managerRegistry->getManager();
$entityManager->persist($lessonPlan);
$entityManager->flush();
return $this->redirectToRoute('lesson_plan_index', ['student_id' => $lessonPlan->getStudent()->getId()], Response::HTTP_SEE_OTHER);
}
$lessonPlanForThisSession = $lessonPlanRepo->findOneBySession($session);
return $this->render('lesson_plan/new.html.twig', [
'session' => $session,
'sessions' => $sessions,
'lessonPlanForThisSession' => $lessonPlanForThisSession,
'lesson_plan' => $lessonPlan,
'form' => $form,
]);
}
It happens that mod_security was activated by my hosting company.
According to this information on namecheap.com, the most common error triggered by a mod_security rule on our shared servers is 403 Forbidden one... Sometimes, due to poor website coding, mod_security may incorrectly determine that a certain request is malicious, while it is actually legitimate. When it happens, you still get a 403 error.
Having them deactivate the mod_security enabled me to submit the forms successfully.
I still don't know where I'm doing the "poor website coding" but this is the reason for the error.