Vulnerability in EPiServer.Forms
Is it possible to disable the preview for pages which are shortcuts to external sites?
We've hit an interesting problem on one of our EPiServer 7.19 sites. We have a page which is a shortcut to an external press release site, one which only works via HTTP, not HTTPS. This page has child pages for individual news stories which are categorized and displayed in a block on the site's main landing page, so editors frequently click on the shortcut page in the CMS page tree to expand it out and add/edit these sub-pages.
The problem that we're facing is that our editors are using Chrome, and edit the CMS on a HTTPS connection. When they click on the page with the redirect to a HTTP site, the CMS preview tries to render it, but the mixed content is blocked by Chrome, which leaves the page stuck in a loading state. This seems to have an adverse affect on the general performance of the CMS edit interface - it then becomes slow, and pages can fail to update correctly. For example, CMS properties view can fail to update when switching between items, and closing properties view can reveal another properties view for the previous page, rather than the page preview. The only fix is to exit Edit mode and come back in - switching to Admin and back seems to do the trick.
I think the short term solution is to move the individual news stories so they're no longer children of the shortcut page, which should reduce accidental clicks from the editors. However, there's still a risk they'll click on the shortcut page by accident and mess up their edit state, so disabling the preview altogether would be a better solution.
The editors do not recall this being a problem prior to the 7.5 upgrade (I personally had never used this area of the site), so I'm not sure if the shortcut behaviour was changed in this release.
This is a little hacky and there is probably a better way of doing this. I have not investigated further how to detect if the page is requested in edit mode but this solution works:
public class CustomRenderingInitialization : IInitializableModule
public void Initialize(InitializationEngine context)
context.Locate.TemplateResolver().TemplateResolved += OnTemplateResolved;
public void Uninitialize(InitializationEngine context)
ServiceLocator.Current.GetInstance<TemplateResolver>().TemplateResolved -= OnTemplateResolved;
public void Preload(string parameters)
public static void OnTemplateResolved(object sender, TemplateResolverEventArgs args)
var pageToRender = args.ItemToRender as PageData;
if (pageToRender != null && pageToRender.LinkType == PageShortcutType.External)
var currUrl = args.WebContext.Request != null && args.WebContext.Request.Url != null ? args.WebContext.Request.Url.ToString() : string.Empty;
if (currUrl.IndexOf("epi.cms.contentdata", StringComparison.InvariantCultureIgnoreCase) > -1)
args.SelectedTemplate = null;
We experienced this problem as well and reported it as a bug a few months back. Haven't heard if they came up with a solution yet though.
Matttais - thanks, I'll give that a try when we get some downtime between feature releases.
Erik - do you have a bug reference number? I'm yet to file this with EPiServer, and it would be good to ensure this is properly captured as the same issue, and doesn't result in two low impact duplicate tickets.
Bug #122953: cms 7.19.2: Shortcut to another page on http when using https site freezes the edit interface
Should be fixed according to the bug list: http://world.episerver.com/support/Bug-list/bug/122953
Ah! Somehow I hadn't found the EPiServer bugtracker. Fixed in 8.10 - this might be a useful carrot to get our clients to commit to the time required to shift the site from the 7.5 family to 8.x.
Having a similar problem where the external site has a prevent framing script which breaks out of the CMS making it impossible to update the settings for the page. Would love to be able to just disable the iframe preview.