Top tip: Better, do not save EPiServer.Foms submissions for sensitive data

If your website utilizes EPiServer.Forms and includes forms where users can upload files, there is a significant probability that the Find/Search Indexing Job will also index those files. Consequently, these files may become accessible through searches facilitated by Find. Editors navigating the Editor area may encounter these files when searching for images, potentially leading to public availability of search results also depending on implementations. To address this issue, a straightforward solution is to cease indexing user-uploaded files. One possible approach to prevent the indexing of uploaded files from forms is outlined in the code below.

ContentIndexer.Instance.Conventions.ForInstancesOf<IContentMedia>().ShouldIndex(x => 
     _contentLoader.GetAncestors(documentFileBase.ParentLink).Select(x=>x.Name).Contains( EPiServer.Forms.Constants.FileUploadFolderName));

This will stop indexing users' uploaded files, and certainly slow down the indexing job as we will be loading ancestors.

It's important to note that despite this adjustment, users' uploaded files will remain accessible to all editors through the Form Submissions View. Depending on the sensitivity of the uploaded user's data, it's imperative to consider this accessibility. Ideally, in cases where user data is sensitive, refrain from saving form submissions within forms due to the limited security associated with form submissions.

Editors play a pivotal role in designing forms, and their training is crucial, particularly in alignment with the nature of the business, the type of information they will be gathering, and the relevant legislation. Training should ensure that editors understand the intricacies of data collection, its implications, and compliance requirements.