Vulnerability in EPiServer.Forms
Hello! We are using the latest version of Episerver Commerce from nuget.org (10.2.2) and are implementing a new order system using SerializableCart. What we have noticed is that custom properties added as meta fields to LineItemEx are not persisted in the database when executing "_orderRepository.SaveAsPurchaseOrder(cart);" where cart is of type SerializableCart. The custom fields are present in the Json blob in SerializableCart table.Changing the SerializableCart option off makes the custom fields persist in the database table LineItemEx both for the cart and when saving as a purchase order.
Is this a known bug or have we missed out on anything special when dealing with these custom properties?
Best regards, Peter Rothman
Systems developer Avensia AB
Yes, it's a known bug, we're working on that and it might be in an upcoming release (after 10.4.0 since it's a pre-release now and will be out soon). The problem is that in the new cart mode, custom fields are stored in IExtendedProperty.Properties which is a Hashtable (that's why the custom fields are present in the json blob in SerializableCart table), and the json serializer was setup with CamelCasePropertyNamesContractResolver, then when serializing hashtables, the keys of hashtable will be converted to camel cases, so it leads to a missmatch key issue.
A workaround could be renaming custom fields in using camel naming, or create a custom JsonConverter for the hashtable (not recommened since it might effect other places), or ..waiting to our fix :).
Hope it helps!
This has been reprioritized and will be included in Commerce 10.4 as COM-4014.