Vulnerability in EPiServer.Forms
We're having trouble with a couple of blocks on our site. we have a very large site with lots of blocks/folders and many times blocks are created in 'for this page' and end up getting moved to another folder or another block type. For instance, we have a 'tabs block' that exists to contain 'rich text blocks' and display each rich text block as tabs. In this case, you would create the tabs block, then create the rich text blocks inside of it, which would put them in 'for this block'.
We have 2 blocks that must have gotten cut out of a 'for this block' and pasted somewhere else and now they're kind of floating in limbo. In fact, if we edit any block, they will show up in the 'for this block' section. Very odd!
The block that they existed in has been moved to the trash but I'm afraid to empy the trash in case it may make the site error. The scheduled 'remove unrelated content blocks' has already run as well and that didn't help.
I can get to the content blocks, but I can't delete them. See this series of screenshots:
Firist, I go to the page that had the tabs block and I edit the tabs. I can see in the 'For this block' of the tabs that there are two blocks. University owned and Personally owned. However, if I click on their options menu I can only Edit them. Move to trash is greyed out.
Now, if I edit one of those rich text blocks, and look in the 'For this block', I can see some really weird stuff. There's a second 'for this block' and the other block in limbo. In this example I'm editing the Personally owned block and you can see the University owned block in the 'for this block'
Even weirder yet, if I edit ANY block on the website now, I see both of those blocks in limbo in the for this block. In the following exmple, I'm on a different page and a completely different block, but the 'For this block' has both of the limbo blocks in it... weird huh??
We can't figure out how those blocks got there, why they're showing up in every 'for this block' and we can't delete them. What can we do? Thanks for any help!
The fix for this requires some breaking changes, so it'll be in a future breaking change release. Probably CMS UI 11. The bug id is CMS-6995.
I've been bitten by this bug in two different environments.
I created a scheduled job (that I only ran once) that deleted those blocks. I hard-coded the content id of the blocks that should be deleted. I made sure that the block's name had to start with "DELETE ME" before it was deleted, just in case the job was started on another environment by accident.