Vulnerability in EPiServer.Forms
I've implemented XForms in a project, CMS 7.5, Relate, MVC, and when I create a form and try to save I get the error message "Incorrect Form" and I am unable to save the form - this happens when using Firefox 25.0.1.
When I use Chrome 31 I am able to create and edit forms as expected. The CMS edit mode does not work in IE11 with the version of CMS I am using (known bug apparently) so I'm not able to test with IE11.
Once the form is created I have no problems using it on a page I just can't save any edits using Firefox.
The only post I have seen related to this didn't really offer any definite fix or suggestions on how to fix.
Any thoughts gratefully recieved.
Could you get a full error log from Firefox console when trying to create the xform?
I do wonder if this is related - https://developer.mozilla.org/en-US/docs/Archive/Web/XForms
I have exactly the same issue but with IE11 and EPiServer CMS 22.214.171.124.
Is there a solution or a bug fix in a later update package?
I have this problem with IE11, Chrome 42.0.2311.90, and Firefox 40.0.3 with EpiServer CMS 8.?. (The version isn't on the help/about screen. How not helpful.)
The form imports, but cannot save. I receive the unhelpful "Incorrect form" message.
Upon clicking the Save button (after importing the file), the console message from Chrome reads:
The XSS Auditor refused to execute a script in 'https://[mydomain]/EPiServer/CMS/edit/XFormEdit.a…nguage=en&formid=53a6978a-9d3e-4e49-a8f0-de04092c23c7&selectedFormName=%2f' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
So I believe it thinks it's protecting me from cross-site scripting, but I don't know why. The form I uploaded contains divs and form fields and a couple of headings, and that's it. The only external domains on the page are the XML schema information which the x-forms itself writes: <root xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> (Added: If you attempt to take these out, the form won't import because it's improper XML) and the submit button, which in my case is using the database option on the localhost: <xforms:submit name="Submit" action="http://localhost/sql" method="">
I did change the name on that submit button because I had to write the form from scratch (due to a bug where you can't have the select fields next to each other, or they merge together for some unfathomable reason), but the action to the database is what EpiServer writes.
Edited to add: For what it's worth, I do have a name on this form (Loan Inquiry), so I'm not sure why it's saying "selectedFormName=%2f" above. I saved the blank form with that name and closed it before attempting to import the form into the system. It didn't work any better with a brand new form that had never been saved. It would do the same thing: import but not save due to the "Incorrect form" message.
Also, FYI, the W3C schools XML validator has no issues with the file I am attempting to upload. I did attempt to shorten the form to around 10 fields to see if it would save, but it still did not. (I removed the Submit button as part of that test. The form still imported, but would not save.)
Seems like this bug which hasn't been fixed yet http://world.episerver.com/support/Bug-list/bug/127147