Vulnerability in EPiServer.Forms
As part of the configured in CMS 12 for the routing options (https://docs.developers.optimizely.com/content-management-system/docs/configuring-cms) there's a "UseTrailingSlash" which works normally but when there's a dot/period in the name in url field for this segment this breaks this pattern.
We can see that this is because within the DefaultContentUrlGenerator (the default implementation of IContentUrlGenerator) that adheres to this setting there's this method
private static void ApplyTrailingSlash(UrlGeneratorEventArgs eventArgs)
if (!eventArgs.AppendTrailingSlash || eventArgs.IsExternalShortcut || Path.HasExtension(eventArgs.Context.Url.Path) || eventArgs.Context.Url.Path.EndsWith('/'))
eventArgs.Context.Url.Path += "/";
And the call to Path.HasExtension causes this to think it's a file extension and therefore NOT render the trailing slash.
We have products in our clients commerce catalog from their PIM that have to contain a dot/period due to the product type but their SEO requirements mean that the URL should be consistently rendered with a slash at the end. Unfortunately there's no way to easily create a custom version of IContentUrlGenerator as there's too many internal or private related code to clone from this implementaion.
My proposal, can we add a new setting in the appSetting configuration under the routing options to control this behavior. So that when we disable the checking of if it's a path we can force the URL to consistently have a trailing slash. I'm aware we don't want this behavior to apply to the asset area so this might need to be context aware in the code.