We apologize for the instability of composr.app and appreciate your patience. We are working on the statistics addon and trying to find an optimal way to store and render data. Unfortunately, we have yet to find a solution that can handle the traffic (and therefore, tens of millions of statistical records) of composr.app. We're working hard on one.
This is almost certainly a ModSecurity configuration problem on your hosting. It's been set up to block requests too aggressively, possibly being triggered by the WYSIWYG editor (i.e. blocking any form request that contains HTML).
It is possible it might also relate to URL schemes. I've had similar issues on my v10 install but it happens with the /pg/ scheme, not the raw scheme. Have not tested on .htm or super simple schemes.
Also worthy to note the issue is not present on v11-alpha
Also worthy to note the issue is not present on v11-alpha