Vulnerability in EPiServer.Forms
In CMS7 I was able to enter links with query string parameters and/or bookmarks in URL properties that points to pages in our CMS. These links are converted to internal links by EPiServer after upgrading to CMS 7.13, and therefore the querystring parameters and bookmarks are stripped away.
Example on "http://mysite/":In a Url property I'm creating an external link to http://mysite/?parameter=valueWhen saving this Url property EPiServer sees this as an internal link to my start page, and converts it on the fly, stripping away the query string parameters with it.
Is there a way to stop or change this behavior? I have several Url properties on my upgraded (from CMS7) site where editors have created "deep" links with bookmarks and others where query string parameters are used, so this is a seriously breaking change for us.
-- Regards,Tarjei Olsen
This bug should have been fixed. Are you experiencing this with the latest packages?
Yes, as far as I can tell it’s the newest:
I originally got the error reported from our customer on CMS version 7.13, and upgraded today to 1.13.1. Still same problem.
This should be supported but I found out that the fix I heard about was a related issue. I have created a bug repor to address this:
Is there a publicly visible URL where I can follow the liftecycle of this bug? The link you posted seems to point to some internal Team Foundation Server. I also tried to Find it (geddit?) on http://world.episerver.com/Support/Bug-list-beta/, but it isn't there yet.
Thanks for the quick replies – very much appreciated!
Linus, does this include to be able to create links like this:/routepath/
where the url is to a local route that is not a simple address for a page?
For example we this for our search-page where if you write
You search for all jobs and that is not a page, just routing
@Tarjei: The bug will appear in the bug list on World once it's been triaged and made public by the dev team that's responsible for the area.
@Henrik: It's actually possible to do it today, but the format you enter needs to be absolute, for instance http://site.com/yourcustomroute. I have added another bug today to investigate if we can make it possible to enter relative links in the UI:
Bug #116910: Exception is thrown when adding a relative link
Thanks Linus.Relative is better when moving between test/producation/development.
It finally working with @Url.ContentUrl(Model.Link) and both with querystring and with hash (#) url's :-)