Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Mari Jørgensen
Jun 14, 2011
(2 votes)

Failed to load viewstate

Recently I was involved investigating a rather peculiar bug. Since there have been several related forum posts on World, and also in the support system, I thought I should give a quick “heads up”.

How the bug manifests itself

The bug itself behaves in the following manner:

Creating a new page from edit mode (by using “Save and Publish” or “Save and View”) and then selecting “Edit”, causes a runtime error:

Failed to load viewstate. The control tree into which viewstate is being loaded must match the control tree that was used to save viewstate during the previous request.  For example, when adding controls dynamically, the controls added during a post-back must match the type and position of the controls added during the initial request.

Failed to load ViewState

The error only occurred when publishing page types with a property of type XForm, and were regardless of page type implementation (not related to the .aspx code).

What to look for

After hours of scratching my head searching for the cause of this, I found the source of the problem:
An external module had a EditPanel plugin that where adding a CSS file to the Page’s header collection in Page Load.

How to solve it

Use the Plugin-Manager in admin mode to find EditPanel plugins, and try disabling each to find “the bad guy”.
This error typically occur on page types using XForms because the XForms property is using viewstate.

Note: The error seem to be limited to EPiServer CMS 5 (SP2) – the same code runs without errors in CMS 6.

Jun 14, 2011


Erik Aandahl
Erik Aandahl Apr 16, 2012 02:55 PM

Thanks Mari.
I ran into the same problem in CMS6. Had an EditPanelPlugin that added a property to ViewState. In my case it (seems to) work just as well with Session

Please login to comment.
Latest blogs
Stop Managing Humans in Your CMS

Too many times, a content management system becomes a people management system. Meaning, an organization uses the CMS to manage all the information...

Deane Barker | Nov 30, 2023

A day in the life of an Optimizely Developer - Optimizely CMS 12: The advantages and considerations when exploring an upgrade

GRAHAM CARR - LEAD .NET DEVELOPER, 28 Nov 2023 In 2022, Optimizely released CMS 12 as part of its ongoing evolution of the platform to help provide...

Graham Carr | Nov 28, 2023

A day in the life of an Optimizely Developer - OptiUKNorth Meetup January 2024

It's time for another UK North Optimizely meet up! After the success of the last one, Ibrar Hussain (26) and Paul Gruffydd (Kin + Carta) will be...

Graham Carr | Nov 28, 2023

Publish content to Optimizely CMS using a custom GPT from OpenAI 🤖

Do you find the traditional editor interface complicated and cluttered? Would you like an editorial AI assistant you can chat with? You can!

Tomas Hensrud Gulla | Nov 28, 2023 | Syndicated blog

Optimizely Graph and Next.js: Building Scalable Headless Solutions

Optimizely Graph harnesses the capabilities of GraphQL, an intuitive and efficient query language to, transform content within an Optimizely CMS in...

Szymon Uryga | Nov 27, 2023

Getting Started with Optimizely SaaS Core and Next.js Integration: Testing Content Updates

The blog post discusses the challenges of content updates on a website using Optimizely CMS, Next.js, and the Apollo Client due to Apollo's local...

Francisco Quintanilla | Nov 27, 2023 | Syndicated blog