Unable To Add Custom Script To Tag

Hello Community,
For some reason when adding Script to a custom HTML Tag it is refusing to save.
I saw a similar issue where the host was potentially blocking the script, however I’m not seeing any errors in the console.
Any idea how I might resolve this as its the last piece in getting this operational and I’d like to use Matomo to deploy an additional automation script.
Many thanks,

Just checked server logs and I am seeing a 403 file not found error message ?


403 is not “Not Found” (that is 404), but “Forbidden”. Your webserver doesn’t allow you to do this request.

The most likely explaination is the following:
Your webserver is Apache and you are using the mod_security module with it. This module contains a list of rules that match requests that look like the ones done by attackers and blocks them with a 403.
Many attackers try to submit script tags like


in e.g. comment fields hoping that the website allows XSS attacks, by simply putting this into the comment on the site. Therefore there is a rule in mod_security that blocks submitting forms with content that looks like Javascript.
And this also affects the Tag Manager forms for submitting custom JS because mod_security can’t know that you the JS is intentional.

See also Add a system check that detects WAFs · Issue #187 · matomo-org/tag-manager · GitHub

Ok, thankyou Lukas - I’ve taken it up with my host.

The reason I mentioned it was file not found was that the server log reported it as follows
File not found [/ACCOUNT/USER/DOMAIN/403.shtml]

That makese sense.


That is a minor bug in another bug:
Somewhere in your webserver config, it is set up that whenever a 403 happens, the webserver should send the client the 403.shtml file instead of the default error page. But this file apparently does not exist (file not found).

I can now add the script, however I seem to have a problem on the site where the container is being deployed.

I can see the trigger firing the tag, however the contents of the tag are not being output.

Any suggestions on debugging this would be greatfully received. I’ll check console output shortly in case it gives me a clue.

Ok, looks like MODSEC is preventing the script injection on the domain where the container is being deployed now. I’ll take this up with my host again.

Hopefully this might help someone else running into the same problem.

I’ve finally got this working with modsec deployed on both the container manager site (matomo instance) and the site I’m tracking, which are different domains.

This also supports injecting custom scripts so the container can deploy other code without running into any XSS problems and still keeps the domain relatively secure.

It required just 6 rules modifying…