Gutenberg's update payload clashes with a common ModSecurity rule, including on Namecheap.

[Pikamander2]

Description

We recently created a cheap shared hosting instance on Namecheap and installed WordPress on it via Softaculous.

Before installing any plugins or themes, we tried to edit the default Hello World post by adding a paragraph block and immediately received this error: "Updating failed. The response is not a valid JSON response."

Upon doing some trial and error and looking at the Network tab in Chrome's dev console, it appears that this payload data was prompting the error: "<!-- wp:paragraph -->\n<p>Welcome to WordPress. This is your first post. Edit or delete it, then start writing!</p>\n<!-- /wp:paragraph -->".

That content, specifically the HTML metadata, was triggering a ModSecurity rule and causing the request to return a LiteSpeed 403 HTML-based error page rather than the normal JSON response that Gutenberg was expecting.

I Googled around and found that:

1. The error was very common.
2. The error can have multiple causes, not all of which are caused by ModSecurity.
3. Most of the community-provided solutions to that error were along the lines of "we switched to the Classic Editor and now it works fine", which is sometimes an acceptable workaround but definitely not the proper way to fix it.

I contacted Namecheap's support and they were able to whitelist some part of the request on our server which fixed our issue. I tried to talk to them about reevaluating their default ModSecurity rules since most of their customers use WordPress and the default editor, but they just gave me some kind of prewritten message about how ModSecurity helps protect our server.

Is there any way to adjust the metadata so that it's less likely to trigger whatever kind of ModSecurity rule is being triggered? Or to encourage whoever maintains the most common ModSecurity rulesets to recommend an adjustment? Namecheap has millions of customers, and I found a bunch of posts online suggesting that GoDaddy has the exact same issue via its "firewall". Most of the people encountering this issue don't have the experience needed to locate the source of the issue or would know that they need to specifically ask their web host to adjust a specific rule.

If nothing else, perhaps the default message could be altered to be more helpful? For example, maybe catching a 403 error could alter the error message to suggest to the user that it might be a security rule that needs to be whitelisted by their host, or maybe the error in general could just link to some kind of FAQ page that lists some recommend fixes and workarounds?

Step-by-step reproduction instructions

1. Create a WordPress website on a host like Namecheap or GoDaddy that uses ModSecurity.
2. Try to edit or create a post/page and include a single paragraph block with some text in it.
3. Observe that the request fails with the generic "Updating failed. The response is not a valid JSON response." message and no instructions on how to proceed further.

Screenshots, screen recording, code snippet

Environment info

• A fresh installation of WordPress 6.1.1 (no plugins)
• Any theme that doesn't modify the editor (e.g. Twenty Twenty-Three)
• Any browser (e.g. Chrome)
• Any OS (e.g. Windows 10)

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes

[talldan]

I'm no expert in this field, but there are a lot of past gutenberg issues and trac tickets about ModSecurity rules causing issues. Though none I could see that specifically mention block markup as being a trigger. 🤔

[getsource]

@Mamaduka pinged me about this, and we asked at GoDaddy.

No one mentioned any trending issues that match this description.

The editor working properly is extremely important!

If you or anyone else has sites at GoDaddy that are having this issue, please feel free to either reach out to me directly in WordPress Slack, or comment here. That way it can be escalated to the right folks.