Vulnerability in EPiServer.Forms
Consider this for an implementation architecture --Every Page Type points to the same ASPX file -- call it Page.aspx.That file is totally empty, but has code in the code-behind that locates and loads a user control. Here are the "rules" it uses to find the correct user control to load:1. Looks for a named user control that the editor has typed into a property called "Rendering Control" (ex: "/Named/My-Custom-Control.ascx")2. Looks for a user control named for the page ID. (ex: "/ByPageId/431.ascx")3. Looks for a user control named for the Page Type (ex: "/ByPageType/Article.ascx")So, ASPX file finds the appropriate user control and loads it into its own Controls collection. Since the ASPX is empty, the ASCX effectively outputs the entire page contents. The user control is where the templating for the content is done (what would normally be in an ASPX file.)Here's why I want to do this --We have a client coming off a Serena Collage install. The content in Collage was edited using Dreamweaver. Their Web guy is very hands-on -- he knows HTML/CSS, and likes it. They were very hesitant to go to a CMS at all, in fact, and I'm trying to find a way to make sure he can "escape" to writing his own HTML/CSS in his own IDE when he feels he needs to.So, my thought is that with the architecture described above, he could do this. He could write a custom ASCX file for odd situations for a group of pages, or for a single page. Or he could just have one ASCX for each Page Type (much like a regular install as one ASPX for each Page Type).If he feels like he needs Page #431 to do something odd, all he has to do it generate "/ByPageId/431.ascx" and put whatever HTML/CSS in it that he wants. He can use EPiServer Property controls if he wants to out page properties, or he could just hand-write the entire thing. We'd have him extend the ASCX from a common class, so there would be no need for a code-behind, no need to build the project, which means he could do this in Dreamweaver (which he knows and likes).Any thoughts on this? Any pitfalls you can see?(I originally thought about hacking the URL rewriter and rewriting the URL to a different ASPX using the rules above. However, I can't seem to find a drawback to just dynamically loading an ASCX file instead. It's much, much simpler than re-implementing the URL rewriter.)(And, before anyone brings it up -- I cannot use PTB or MVC here, for various reasons.)
Should one usercontrol render the entire page? Would that mean that all html for the "layout" that are common for all or most of the pagetypes needs to be duplicated in each usercontrol? If that's the case it sounds like a pain to develop and maintain.
But keeping most of the code in the masterpage and have a naming scheme for renderingcontrols so it's easy to override default behaviour in a choosen content placeholder should work i guess.
We have a listing control with all the basic listing functionality but the actual rendering logic is placed in different usercontrols. The editor can choose which rendering control they wan't to use from a dropdown. But in our case we need to compile before we can add it to the solution.
I'm thinking the editor could just use the "shortcut / link to page on external website" to point to a custom aspx (not ascx). If this aspx inherits from TemplatePage etc it should be possible to use the masterpage and any usercontrols like menus etc, provided that you include the page id in the address: /CustomPages/CoolPage.aspx?id=567. I think it should be possible to use the id of the page you actually do the shortcut from, and by doing that you can use it to carry properties you might want to use in the custom template, get the correct placement in menus etc.
Before though, I think EPiServer had a check that the correct page type was being loaded so you'd get an exception if the template didn't match the page's page type. I just tried in CMS 6 and it does not seem to be the case in this version, so the approach could work.
We've used the solution mentioned by Magnus above, and it works well if you have a web master who knows what he's doing. And the validate template thing can be overridden in code, not sure if it's used any more though.
Why not just use WebParts/Flexigrid?
Thanks, everyone, for your feedback here.
I was especially interested in what Magnus mentioned. I'd never thought of that, but in retrospect, it seems logical.
However, in playing around with the rewrite provider, I managed to implement this exact logic at the rewrite level in about two dozen lines of code. So, editors can specify a custom ASPX file in one of the page properties, and the rewriter will send a request for that page there. Or they can provide an ASPX in a specific directory, named for the page ID ("431.aspx") and the rewriter will send the request there.
I need to do a little more testing on it, but I'll be writing a blog post over the weekend.
Thanks again, guys.
Gotta love the EPiServer community. I love learning through blogs and forum post. Looking forward to your blogpost.
Blogged it here:
Selectively Overriding Page Type Template Mappinghttp://world.episerver.com/Blogs/Deane-Barker/Dates/2010/12/Selectively-Overriding-Page-Type-Template-Mapping/