Vulnerability in EPiServer.Forms
I've implemented ISelectionQuery as described here: http://world.episerver.com/documentation/Items/Developers-Guide/EPiServer-CMS/9/Content/Properties/Property-types/Built-in-auto-suggestion-editor/
GetItems gets called fine with the search string I've entered or a * if I expand the whole thing with out typing. But, I never seem to get any calls to GetItemByValue though, and the value stored in my property in the item.Text, not item.Value.
Now, my text and value don't differ that much, and if they did, I could use some form of translation mechanism - but is it supposed to work this way? Or am I (my implementation) missing something?
After having read Linus Ekstrom: Creating a more advanced property editor, I realised two different controls could be used, and sure enough, it makes a differens on how the store is used.
When you use:
[AutoSuggestSelection(typeof(MySelectionQuery), AllowCustomValues = true)]
the rendering control will be a ComboBox, and the text property of your select items will be used. As the user can enter any string as a value, you aren't guaranteed to get a "valid" value from your store anyway, and I guess it makes sense not to call GetItemByValue.
If you omit AllowCustomValues, or set it to false, a FilteringSelect will instead be used, and GetItemsByValue will be called and the selectitem.value will be stored in your property.
Thanks for sharing!