Vulnerability in EPiServer.Forms
I'm facing a weird thing here. If I have a block created in the assets panel, drag and drop it to a content area then delete it from the assets panel and clean the trash, the content area will have a block without any id or content link that won't be shown. This means that the editors are not able to see and remove it. The only way to remove it is to alter the content area (add or delete a new block).
I tried to create a fresh alloy solution and reproduce the issue but if i delete the block from the assets panel, it is not visible in the trash bin. Also, it is still visible in the content area but uneditable. That's a good thing since the editors are able to remove it.
I manage to reproduce the issue in two different solutions, both of them using older versions of CMS (11.8 and 11.10.1) and having a working trash bin. Is this a known issue? I found another topic started in 2013 with the very same problem but no solution posted there. Was anybody able to fix this?
UPDATE: I granted rights to the WebAdmins to access the recycle bin. After the blocks are deleted from the bin, the issue is reproducible on alloy too.
I may be wrong but this is likely because I think under the covers when adding a shared block to a ContentArea it created a ContentAreaItem which contains the data that links through to the added block. Therefore when you're removing the block it's not removing the ContentAreaItem and leaving it now with null reference once the block is rendered out. Are you rendering this out using the standard Episerver PropertyFor MVC helper as I've not seen this still being rendered. What you can do if you need is add an Event on the deleting using the ContentEvents and then using the SoftLinkRepository to get links to the block, this will find all the ContentAreaItems which you can programatically delete.
Spent way too long before I figured out it was a hidden ContentAreaItem without a reference to the page that was deleted. Still not fixed as of EPiServer 11.20.2. Using FilteredItems instead of Items filtered this hidden item away.