Vulnerability in EPiServer.Forms
Hi,I've stumbled upon some problems with EPiForms together with the Content API. The template and assets described in (https://world.episerver.com/documentation/developer-guides/content-delivery-api/content-delivery-api-and-episerver-forms/) are not present in the response (unless we explicitly ask for the form's specific ID). However, we utilize friendly URLs in our SPA so this isn't an option.
It seems like the cause to this is that we've also implemented the CustomContentAreaPropertyModel (described in https://world.episerver.com/documentation/developer-guides/content-delivery-api/how-to-customize-data-returned-to-clients/) to expand all content areas. We've checked the dll:s with ILSpy and found some differences with the previous implementation and managed to get it working by rewriting the expand behaviour like so:
protected override IEnumerable<ContentApiModel> ExtractExpandedValue(CultureInfo language)
List<ContentApiModel> expandedValue = new List<ContentApiModel>();
IEnumerable<ContentReference> contentReferences = from x in base.Value
where x.ContentLink != null
select new ContentReference(x.ContentLink.Id.Value);
List<IContent> source = _contentLoaderService.GetItems(contentReferences, language).ToList();
var principal = base.ExcludePersonalizedContent ? _principalAccessor.GetAnonymousPrincipal() : _principalAccessor.GetCurrentPrincipal();
source.Where((IContent x) => _accessEvaluator.HasAccess(x, principal, AccessLevel.Read)).ToList().ForEach(delegate (IContent fc)
expandedValue.Add(GetMapper(_contentModelMapper, fc).TransformContent(fc, base.ExcludePersonalizedContent, "*"));
public static IContentModelMapper GetMapper(IContentModelMapper mapper, IContent content)
if (!(mapper is ContentModelMapperBase))
Don't know if this helps anyone or if EPiServer might have an answer to why this is, maybe the CustomContentAreaPropertyModel-functionality was written before CD.Forms was developed?
You are right. The document for CustomContentAreaPropertyModel class was created for Content Delivery Api v2.0.0, and the CD.Forms come later in CD v2.6. So the sample code is not really to be inline with the newest version of Content Delivery Api (and CD.Forms). We are preparing for Content Delivery Api v2.9 and will update the documentation soon after the release.
Thanks for your valuable feedback!
Ok thanks for your feedback.
We've stumbled upon another problem related to creating a custom Episerver Form Container (described in e.g. https://world.episerver.com/documentation/developer-guides/forms/creating-a-custom-form-block/). It's working fine when rendering it the default way (MVC). However, requesting the same page via the content API we don't get our custom container but rather the default EPiServer implementation. Is this a limitation with the Contentent Delivery API / CD.Forms or do you know anything about this Long Le?
Yes, I must say that it is a limitation of ContentDeliveryApi.Form at the moment. In FormRenderingService we use the FormContainerBlockController to rendering the template. So I guess you will need to inherit that service and override the BuildFormTemplate method and call your new custom form container block controller there.
I'm trying to Render a EpiForm in React using Content Delivery API, the HTML from formModel.template is displaying the Form elements without any issues.
But the problem is I'm not clear about the form related CSS and JS files injection into the page,
I know without related CSS and JS files the form submit will not succeed, but not sure how to inject, can you suggest me a proper way to make the form working through ContentDelivery API.?