Vulnerability in EPiServer.Forms
EPiServerForms.js expects an ajax response in camelCase, but JsonResult renders the response in PascalCase. Therefore, when using the JS submission mode for forms, the client-side script misinterprets a true value for isSuccessful in the response as a failure. Though the form has been submitted successfully and the data saved and visible on the list of submissions, the user cannot tell that their submssion succeeded because no message is displayed.
Configuring JsonOptions in Startup.cs seems to fix this:
o.JsonSerializerOptions.PropertyNamingPolicy = JsonNamingPolicy.CamelCase;
However, I'm not sure what else this might break.
Foundation explicitly sets the JsonNamingPolicy to null so we get PascalCase.
options.JsonSerializerOptions.PropertyNamingPolicy = null;
So, perhap the source JS will need to be changed to match the case of the response that the DataSubmitController is returning on submit.
Setting it to null means it will leave property names unchanged -- I set it like that in Foundation because without that it was CamelCasing all the property names and a lot of things weren't working correctly (just like the issue in this thread, though I hadn't tested Forms at that point). It was either update all of the possible problem spots in Foundation, or make this change -- for a new build (versus an upgrade), I don't know if I would include that.
Thanks Daniel. That makes sense. There's no reason to change the client code if you can just set the site to produce the casing the client code expects.
I think the Forms js assets included in the package need to be changed, right? I don't know how we could set Json config only for the DataSubmitController.
Haven't tested, but I think the latest Forms release (EPiServer.Forms 5.3.0) should lead to more expected behavior:
"Fixed an issue where changing the JSON formatting options to Pascal case in Startup.cs changed the form format. For example, if you created a form that redirected after submitting the form, it would not redirect to the selected page."