Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

EPiServer CMS 5 

Release Notes - EPiServer CMS 5 SP1

Last updated: January 21, 2008

This document describes the changed functionality in EPiServer CMS 5 SP1. This document contains notes about the changed functionality in EPiServer CMS SP1. For further informaton about the changes in EPiServer CMS 5 R1, please read the release notes for that release.

New and Enhanced Functionality

Changes in VirtualPathHandler

There are now two methods in EPiServer.Web.Hosting.VirtualPathHandler (typically accessed through the static property Instance) that makes it possible to request files/directories without performing an access check. This can be useful when calling from scheduled jobs or workflow instances.

public VirtualDirectory GetDirectory(
string virtualPath,
bool bypassAccessControl)

public VirtualFile GetFile(
string virtualPath,
bool bypassAccessControl)


Content Channel

ContentChannelService is a new API for adding content to an EPiServer CMS site from an external application via Web Services or from code within the same EPiServer site. For detailed information about the ContentChannelService, read the following technical note.

User Interface Changes

Some minor changes have been made to the user interface.

  1. There is a new value for personal language selection called "Use system language".
  2. The user interface for selecting users and groups has been changed so that users and groups are selected by clicking one command button "Select Users/Groups". This is used in several places, for example when setting access rights and permissions for functions.


EPiServer CMS 5 SP1

In order to install EPiServer CMS 5 SP1, EPiServer CMS Manager is required to install or upgrade to EPiServer CMS 5 SP1. The EPiServer CMS Manager will be automatically installed if the server is connected to the internet.

Issues when Upgrading to EPiServer CMS 5 SP1

We currently only support upgrade of EPiServer CMS 5 R1 sites to EPiServer CMS 5 SP1. For further information about migrating from EPIServer CMS 4.62 to EPiServer CMS 5 R1, see the following technical note.

Download Install EPiServer CMS 5 R1

Upgrading to EPiServer CMS 5 SP1 from EPiServer CMS 5 R1

The following issues apply when upgrading from EPiServer CMS 5 to EPiServer CMS 5 SP1.


When using EPiServer.Security.WindowsMemberShipProvider the username format is controlled and default only allows the username (without domain). If you need to log in using the domain\username or username@domain format, you must explicitly specify this in web.config. The format is specified by setting the usernameFormat attribute on the WindowMemberShipProvider definition in web.config. The supported values are "Name", "DomainAndName", "UserPrincipalName" and "Any". 

UsernameFormat Example
Name  Pelle
DomainAndName  ep\pelle
Any  Any of the formats above are allowed.


<add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true" usernameFormat="DomainAndName" />

Changes Affecting Programming

Provider Capabilities

EPiServer CMS 5 uses a set of utility classes to let EPiServer know which features specific membership and role providers support. These classes have been updated in the SP1 release. These changes will only affect you if you have written code that uses the classes EPiServer.Security.ProviderCapabilities or EPiServer.Security.ProviderCapabilitySetting.

Old Code

"MyCustomMembershipProvider",// Refers to the name in web.config
new ProviderCapabilitySettings(true, // Allow creation of users
true,                                       // Allow deletion of users
true,                                       // Allow updating users
"email", true,     // Supports the email property
"comment", false));             // Provider does not support the comment property

New code

typeof(MyCustomMembershipProvider),    // The type of the provider class
new ProviderCapabilitySettings(
// Allow creation, deletion and updating of users
Action.Create | Action.Delete | Action.Update,
"email"));    // Supports the email property

// Provider does not support the comment property since it is not listed

Please refer to the updated SDK for more details on these classes.

EPiServer Profile

EPiServer CMS 5 supports and uses the ASP.NET 2.0 profile capabilities to store user-specific information. To support the required set of properties used by EPiServer CMS 5, the EPiServer.Personalization.EPiServerProfile class was used as a base class for profiles in EPiServer CMS 5 R1, i e the web.config section looked like this:

    <profile enabled="true" defaultProvider="SqlProfile" automaticSaveEnabled="true" inherits="EPiServer.Personalization.EPiServerProfile">


        <clear />

        <add name="SqlProfile" type="System.Web.Profile.SqlProfileProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" applicationName="EPiServerSample" />



Note the "inherits" attribute on the <profile> tag. This is what defines EPIServerProfile to be used as a base class for all profiles defined in ASP.NET.

This approach had some drawbacks; primarily it caused the profile configuration to be less flexible than what some scenarios required. In order to accommodate for this we have changed EPiServer CMS 5 so that EPiServerProfile is no longer required as a base class (although this is still supported). The primary purpose of the EPiServerProfile class is now to act as a wrapper class for the dynamic profile class created from the web.config section by ASP.NET. The web.config section in EPiServer CMS 5 SP1 (and later) will usually look like this:

    <profile enabled="true" defaultProvider="SqlProfile" automaticSaveEnabled="true">


        <add name="Address" type="System.String" provider="SqlProfile" />

        <add name="ZipCode" type="System.String" provider="SqlProfile" />

        <add name="Locality" type="System.String" provider="SqlProfile" />

        <add name="Email" type="System.String" provider="SqlProfile" />

        <add name="FirstName" type="System.String" provider="SqlProfile" />

        <add name="LastName" type="System.String" provider="SqlProfile" />

        <add name="Language" type="System.String" provider="SqlProfile" />

        <add name="Country" type="System.String" provider="SqlProfile" />

        <add name="Company" type="System.String" provider="SqlProfile" />

        <add name="Title" type="System.String" provider="SqlProfile" />

        <add name="SubscriptionInfo" type="EPiServer.Personalization.SubscriptionInfo, EPiServer" provider="SqlProfile" />

        <add name="CustomExplorerTreePanel" type="System.String" provider="SqlProfile" />

        <add name="FileManagerFavourites" type="System.Collections.Generic.List`1[System.String]" provider="SqlProfile" />

        <add name="EditTreeSettings" type="EPiServer.Personalization.GuiSettings, EPiServer" provider="SqlProfile" />

        <add name="ClientToolsActivationKey" type="System.String" provider="SqlProfile" />

        <add name="FrameworkName" type="System.String" provider="SqlProfile" />



        <clear />

        <add name="SqlProfile" type="System.Web.Profile.SqlProfileProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" applicationName="EPiServerSample" />



NOTE There is no longer a reference to the EPiServerProfile class and the profile properties are explicitly defined in web.config.

This change has led to a few subtle changes. Accessing HttpContext.Current.Profile would previously return an object instance that inherits from EPiServerProfile, but from SP1 it will return an object instance that inherits from System.Web.Profile.ProfileBase, i.e. code like this worked perfectly fine in pre-SP1:

EPiServerProfile profile = (EPiServerProfile)HttpContext.Current.Profile;

The code above will most likely fail in SP1 and later versions. You should either make sure you have an EPiServerProfile instance by using the static Wrap method:

EPiServerProfile profile = EPiServerProfile.Wrap(HttpContext.Current.Profile);

or simply call the Current property on EPiServerProfile, which basically does the same thing.

EPiServerProfile profile = EPiServerProfile.Current;


Fixed Issues in EPiServer CMS 5 SP1

A list of issues that have been solved in this release is available at

Documentation Updates

The following updates have been made to the EPiServer CMS documentation since EPiServer CMS 5 R1.

Technical Notes

The following technical notes have been added since EPiServer CMS 5 R1.

  • Event Management System Specification
  • Configuring Subscription in EPiServer CMS 5
  • EPiServer CMS SharePoint 2007 Connector