Vulnerability in EPiServer.Forms
I am very new to Episerver and still learning. I got stuck in developing one scenerio.
I have some master data kept in admin sections which gets reused to display some information in frontend. However, in case this admin data is invalid or having some troubles reading them, I want them to be stored somewhere so that the admin can see them when want to find the root cause of the issue. How we can incorporate this with Epi Server? Is there anything builtin to manage any editor/admins level issues and record them in user friendly manner so that admins/editors can have a look when they need?
Thanks a lot in advance!
Hmm not sure I get what you are after but...
There are plenty of places where you can extend Episerver. Either you can create a custom gadget for editors in edit mode that reports any errors you have with this? A custom tool in admin mode is another option if only admins need to see this.
Maybe it's enough to validate when a page is published? Then you can add custom validation for a page by implementing the IValidate interface.
Thanks a lot for responding. Actually I have a hold of the errors and exceptions. But I am thinking if there is any simple way to show them to the admins/editors. Let's say, I have some facebook configuration information in admin setting. Now, when I am using that in a controller to get the facebook posts, I found that the facebook configuration informations are invalid and not returning data. How I can keep the logs and show them to the admins when they visit the admin section, facebook configuration section so that they change the configuration accordingly. Is there any out of the box mechanism of doin that in Epi Server?
Is facebook configuration saved in a property on page? In that case I would implement custom validation of that page type by implementing the IValidate interface. Then the editor will get a warning when publishing the page.
I would also render a detailed error message on the actual page but that is only shown to editors. You can check
var inEditMode = PageEditing.PageIsInEditMode;
in controller and then in view show some helpful message for the editor if you fail to get anything from facebook.
As Daniel suggested, I would implement the validator to handle bad input and give immediate feedback to editors.
There are different types of validators: validators for a single property, and validators for the entire page.
You can check this link for some examples: http://henrikm.com/custom-episerver-property-validation/
When it comes to logging / showing error messages, I wouldn't expose anything to the public web (or page view inside the if block that contains PageEditing.PageIsInEditMode condition).
Error messages should be kept in the error log.
For easier access to log files, you can use cloud-based services like elmah.io, raygun, stackify, etc.
It is also possible to create custom log4net appenders that will store messages in a database (or some other data source), and a tool in admin mode that will allow administrators to get a quick overview of errors.
In EPiServerLog.config you can configure which errors should be logged using your custom appender.
Also, make sure that you don't only log the exception.
I often see code like this:
catch (Exception ex)
_log.Error("Something bad happened", ex);
It is very important that error messages contain enough information so that developers can reproduce the event. Log everything but sensitive information: page/block ids, user input, etc. but leave out credit card information, etc.
Hope this helps.