Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Giang Nguyen
Nov 7, 2019
(1 votes)

Problematic serialization of EPiServer.Url class in CMS 11

What happened?

Recently, I found out some problem with EPiServer.Url objects, mostly because of its serialization.

Let's start with a demonstration like this:

// The page model
[ContentType GUID="..."]
public class MyPage : PageData
    [EditorDescriptor(EditorDescriptorType = typeof(CollectionEditorDescriptor<MyType>))]
    public virtual IList<MyType> MyTypeList { get; set; }

// The MyType class
public class MyType
    public string WorksNormal { get; set; }
    public EPiServer.Url WontWork { get; set; }

// The definition so it won't cause problem with the editor
public class DecisionItemListProperty : PropertyList<MyType>

The innocent-look code above seems to be fine and quite simple to most developer. However, there are 2 dreadful error happen in CMS 11 (while it's totally fine with version 10)!

Firstly, the CMS editor's behavior becomes strange when I tried to add MyType objects to the list. Everything is okay in the editor from the popup, workflow, UI. Surprisingly, after saving the page, regardless it's published or saved as draft, every data of MyType.WontWork is gone while everything is saved as expected. No warning or error or stack trace in log file!

Secondly, Find failed indexing the page, every traces point to MyType.WontWork object. I doubt that Newtonsoft.Json seems unable to serialize the Url class (it works okay if [JsonIgnore] is present).

How come?

What I found regards to this is here, in PropertyList<T> improvements (Beta removal) section. However, thing there point out directly if the Url class is affected or not, no warn or suggestion for code changes.

I am also awaiting a comment here to help me figure out the root cause of this.

How to fix?

Easy peasy. Just add some annotation to the Url property, so it will look like this:

public EPiServer.Url WontWork { get; set; }

Just that! It would be fine.

Nov 07, 2019


Please login to comment.
Latest blogs
A day in the life of an Optimizely Developer - Optimizely CMS 12: The advantages and considerations when exploring an upgrade

GRAHAM CARR - LEAD .NET DEVELOPER, 28 Nov 2023 In 2022, Optimizely released CMS 12 as part of its ongoing evolution of the platform to help provide...

Graham Carr | Nov 28, 2023

A day in the life of an Optimizely Developer - OptiUKNorth Meetup January 2024

It's time for another UK North Optimizely meet up! After the success of the last one, Ibrar Hussain (26) and Paul Gruffydd (Kin + Carta) will be...

Graham Carr | Nov 28, 2023

Publish content to Optimizely CMS using a custom GPT from OpenAI 🤖

Do you find the traditional editor interface complicated and cluttered? Would you like an editorial AI assistant you can chat with? You can!

Tomas Hensrud Gulla | Nov 28, 2023 | Syndicated blog

Optimizely Graph and Next.js: Building Scalable Headless Solutions

Optimizely Graph harnesses the capabilities of GraphQL, an intuitive and efficient query language to, transform content within an Optimizely CMS in...

Szymon Uryga | Nov 27, 2023

Getting Started with Optimizely SaaS Core and Next.js Integration: Testing Content Updates

The blog post discusses the challenges of content updates on a website using Optimizely CMS, Next.js, and the Apollo Client due to Apollo's local...

Francisco Quintanilla | Nov 27, 2023 | Syndicated blog

Performance optimization – the hardcore series – part 4

Let’s take a break from the memory allocation, and do some optimization on another aspect, yet as important (if not even more important) – database...

Quan Mai | Nov 25, 2023 | Syndicated blog