[OJS 3.1.0-1] issue to submit metadata saveStep/3 403 (Forbidden)


I have an issue when I try to save in the metadata tab (step 3), at first we can’t save anything of metadata for a particular manuscript, but when I save first some info and later other I can recognize the problem but is really weird… is just one line of text in the translate abstract, and when I try to put this line the system “collapse” and in the console in Chrome generate this error:
POST http://ojs.xxxx.cl/index.php/xxxx/submission/saveStep/3 403 (Forbidden)

I made some videos (without audio) for explain my problem:

I will gratefull to receive any suggestion and help to solve my issue.



Hi @t4x0n,

I suspect this is mod_rewrite or something similar preventing a legitimate request from getting to OJS. Check if your server uses a tool like this; any interventions should be logged.

Alec Smecher
Public Knowledge Project Team

Thanks @asmecher,

mod_rewrite is not enabled at the subdomain.

In the error log: but is no an error log after I pressing the button, just the following lines when I open the Metadata Tab (is a long list but is “normal”): I prefer upload an image because is nothing new…

I think the problem is in JS, like one character or mix of characters, like html code but when I try other options (like video 2 and 3) nothing happend


Maybe mod_security is triggered with some of the content there. Not sure what though? Prevent mod-security 403 server errors in web hosting


@ajnyga you are right!! look this log in mod_security tools Hits List, is exactly the problem:

now I need to lern more about that, for solve my problem but this is a great step! thanks!!

1 Like

An update: the problem is Comodo WAF. One rule for SQLmap attack detect the last word in the abstract like an attack: “…en esta especie de roedor.” the last word “roedor.” have OR at the end, and maybe this makes a match with something like or]</p> like the example in this post: Rule 218500 False positives · Issue #856 · SpiderLabs/owasp-modsecurity-crs · GitHub

@asmecher, @ajnyga, maybe you have more info about that… what is recommended for this? Comodo rules are very useful and widely used, it is possible to change some code in OJS forms, in order to avoid problems like that? or this is maybe a bad structured rule in comodo… I don’t know, for this moment I am happy to find the root of the problem.

thank you very much!!


Yes, it is ususally sql related strings that trigger mod_security. I have to say that I have no expertise in setting mod_security, but I believe there is really nothing you can do in the OJS end. Basically any form element that would be submitted on the server with the same content would cause the error.

I think that the best place to find help with the rules is Stack Exchange, but it could be that Alec knows about these as well.

Hi all,

Unfortunately I don’t have anything more specific to add – just that these rules appear to be very prone to false positives sometimes.

Alec Smecher
Public Knowledge Project Team