Vulnerability in EPiServer.Forms
I guess this question has been asked before, but I couldn't find it.
When uploading images there's nothing that takes the required properties into consideration.
Also, it seems like like if you upload an image with a required property it isn't automatically published, but still it's fully usable and displayable to the end user.
One obvious property is alt-text for images, it should always be entered, but as it is now the editor can upload and use the image without the property, and it's not that easy for the editor to enter it afterwards.
Before, when using VPP, the properties were displayed after the file was uploaded making it a natural step.
What are the thoughts on this? Is there/will there be a fix for this? Is there any workaround?
Is everyone outside enjoying the spring sun, or is there no good answer?
I wish that I was out in the sun. But since I'm locked into my cell, with only coffee to keep my going until someone comes and locks up the bars to release me for the weekend I might well give you an answer.
Your sentance "When uploading images there's nothing that takes the required properties into consideration." is in contrast of what you then write "Also, it seems like like if you upload an image with a required property it isn't automatically published, but still it's fully usable and displayable to the end user." As you write, items that have required properties are not published automatically on upload. These should NOT be available to end users (if you by that mean site visitors) but they are still available to editors. There are other systems that handle this differently, putting newly uploaded items in a carantain until they have been organized and approved but this is not the case with the built in media management in EPiServer. Still, you can find all drafts under "Tasks->Drafts" so there is a somewhat limited support for this workflow.
We have just started work on improving the workflow for working with several items since this need has been increased in EPiServer 7, especially with the introduction of blocks. The central part of this is to have a "workspace/project" where you can see a list of items in progress. I hope that we can add newly uploaded items to this which I hope would solve your need. Also, I see that when copying items in EPiServer, they should get draft status and be put in the workspace so you can edit them before they are published.
I realize now, we have our own handling of image resizing on top of the original image, that did not take publish state into consideration for the images, so the result in my case was, 1. Editor uploads image and doesnt enter required property. 2. Editor selects to use image from a block or page. 3. Anonymous users can view the block/page with the resized image.
But now when trying to visit the original image as an anonymous user i realize login is required.
In my opinion there should be a dialog once the image is uploaded, or maybe even before, like when you create a new block with required properties, or maybe that changed in 7.5 as well, oh well, I guess you will sort it out
Ok, that explains your behaviour. Glad that you found it so quickly. The problem with showing up mandatory properties for a file is that a common scenario is to upload several files at the same time which would require some other interaction pattern. As I mentioned, I hope that the project features might solve this issue by indicating that these items are not ready to be published together with the other data.