Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Area: Optimizely Search & Navigation
ARCHIVED This content is retired and no longer maintained. See the latest version here.

Recommended reading 


When searching with the general .NET API search queries are usually executed using a method named GetResult which returns, among other things, matching objects or projections from matching objects by de-serializing them from JSON. However, when executing a query for EPiServer pages and files stored in VPP folder we often want the returned objects to be the EPiServer objects, such as PageData objects, returned from the EPiServer APIs and not objects deserialized from the index.

In fact, de-serializing PageData objects from the index will not even work out-of-the-box. Instead, by only retrieving a reference to matching objects and them fetching them from for instance EPiServer DataFactory, we can be confident that they hold the very latest data from the database and we will also be able to update or delete them should we want to. The integration contains two extension methods that handles this process for us, GetContentResult and GetFilesResult.


To use GetContentResult or GetFilesResult, simply create a search query either for IContent objects or UnifiedFile objects, and use these methods instead of the regular GetResult method to execute the query and retrieve the result.



For scenarios where we don't want the whole IContent or UnifiedFile objects but rather a subset of their content, perhaps with highlighting we can instead use the regular GetResult method after first having created a projection using the Select method described in the Searching section of this documentation.

Language handling

The GetContentResult method automatically adds a filter to the search request to select content from the current language branch as determined by the EPiServer LanguageSelector.Autodetect() method. To select pages from a specific language branch, an overload accepting a LanguageSelector instance can be used.

  .GetContentResult(new LanguageSelector("sv"));


As opposed to the GetResult method which does not do any caching by default, the GetContentResult method automatically adds caching for a minute. However, to make sure that query results are not updated it adds query results to the cache with a dependency on the EPiServer master cache key. This means that the cache will be cleared whenever an EPiServer content is saved or deleted. This is similar to how the EPiServer output cache works.

Note that the cache key is generated from the query meaning that if we use queries containing dates, we should normalize dates to minutes or hours, as we will not otherwise benefit from caching while filling up the cache with unused data. In other words, avoid filtering using DateTime.Now.

Accessing the actual search results

GetContentResult and GetFilesResult both return instances of a type which contain the matching objects, such as matching content objects. These types are ContentResult and FilesResult. This is accomplished by fetching the matching objects IDs from the search engine and then fetching the actual objects from the CMS' API. Sometimes we may need to use the actual search results (of type SearchResults), for instance in order to track statistics. Both ContentResult and ContentResult expose these through a property named SearchResult.

Do you find this information helpful? Please log in to provide feedback.

Last updated: Jun 10, 2014

Recommended reading