Upon saving the page, I get a 'Saving Error' pop-up

LiveCanvas is basically a HTML editor under the hood -  running in your browser, and enriched with some "point-and-click" interface to help build HTML scaffolds.

LiveCanvas is using WordPress as a backend - to save the full HTML data of your page - and it does it into the standard post_content field.

On some WordPress installs, due to strict security settings of the environment, LiveCanvas can have problems while saving the HTML.

In these cases, upon clicking the saving button in the editor, you will see a 'Saving Error' pop-up.

Depending on the actual content of the page, you could see more or less this message. Embedding some image URLs, or JS code is a typical trigger.

This issue has been traced many times at:

  • Security [at application level] plugins like WordFence
  • Security [at server level] settings / tools  like Imunify 360

What's happening behind the scenes?

Basically when you hit the save button, all the page's <main> HTML is sent via $_POST to your WordPress backend.

This can trigger some false positives in security software.

What to do?

Try tweaking settings / disabling your security plugins, or in case of server level tools / settings, contact your host and ask them to tweak settings / disable the offending tool.

How to fix issues with  WordFence

Some users are reporting problems with this famous security plugin, but it's easy to get around it.

If you do see that turning off WordFence fixes your saving problem with LiveCanvas, just look at the live traffic and when the request from LiveCanvas comes through, add it to a whitelist:



"Saving Error | Forbidden" seems to occur when there is an SVG path in the html: max_input_vars

From a client:

I'm noticing the "Saving Error | Forbidden" seems to occur when there is an SVG path in the html.  Does that help any further?  

I'm using GoDaddy dedicated server with C-Panel access, and all my sites are hosted on GoDaddy. 

After 2 full business days of being on the phone with GoDaddy's support, I finally got a proper tech to resolve the issue.  He added a .user.ini file to the file manager with these settings:

memory_limit = 512M 
max_input_vars = 5000
upload_max_filesize = 1024M
post_max_size = 128M
max_execution_time = 300
Note that as a GoDaddy customer, I do have access to change php version, add extensions, and make some adjustments, but I do not have access to the "max_input_vars".  I would not have known that adjustment would solve the issue.  The tech adjusted this setting to "5000" and it resolved the issue.
I'm just using the GoDaddy shared hosting Maximum plan if that helps.  Usually LiveCanvas works right from a fresh install.
 The only other note I might add is that the .user.ini needs to match the php settings in the Cpanel.  In Cpanel there's a section to update php version, and with that, there's a couple other setting adjustments the user can make. The only difference is that the ini method allows to modify the "max_input_vars".  Thats not available via Cpanel. If you change one but not the other, I don't know if that causes any unpredictability. Maybe the ini file overrides it.  That's outside my scope of expertise, other than the tech mentioned that he made sure they matched.

Advice for CloudFlare

Some added advice by a kind Customer

"I was incurring the issue within integration with CloudFlare and a security not allowing script in the POST request with the rule "HTML Injection - Script Tag".

I was able to fix the issue by setting an EXCEPTION under SECURITY -> WAF then MANAGED RULES tab clicking on Add Exception.

In the rule I set the requests to match:
Request Method -> POST
Hostname = "my site"
Country = "United States"
Referer contains "my site url"

You can lock this down more by adding the source IP which would be the local IP your logged in at but mine changes so i didnt do that. Anyhow, this took up like 2-3 hours of my day pulling my hair out trying to figure it out and figured it might help someone else out. See the recorded block event from CloudFlare."