Vulnerability in EPiServer.Forms
I am trying to override a EPiServer TinyMCE plugin in EPiServer 7. To do so I have added a VPP i EPiServer.Framework.config. In EPiServer 7 this can be done by adding <add name="TinyMCEPlugins" virtualPath="~/Util/Editor/tinymce/plugins" physicalPath="%MYPATH%" type="EPiServer.Web.Hosting.VirtualPathNonUnifiedProvider, EPiServer.Framework" />. But in EPiServer 7.1 and 7.5 all the TinyMCE plugins are located in the ProtectedAddons folder. Is there a way to find out which EPiServer version that is running runtime and register this VPP in a IInitializableModule? If so, how can this be done?
It's not possible to override one of the built in plug-ins by adding VPP:s to util. We have a list of the built in plug-ins (both EPiServers and the default plug-ins from Tiny MCE) and these are loaded from the CMS module. Any other plug-in are loaded from util. In this case, if you want to patch a built in plug-in, you need to override the actual file in the CMS module. Another potential option would be to create your own add-on that's basically a copy from the EPiServer add-on, and make sure that this is part of the Tiny MCE plug-ins to load instead of the built in one.
Thanks for your answer!
This was possible in EPiServer 6 right? In EPiServer 7, this VPP registration works fine. Is it possible for my to register a VPP that overrides the http://localhost:17001/EPiServer/CMS/VERSIONNUMBER/ClientResources/Editor/tiny_mce/plugins/PLUGINNAME in EPiServer 7.1 and 7.5?
Yes, in EPiSerer 6 as well as in EPiServer 7, this was possible since the Tiny MCE files were located in the util directory. With the upgraded version of Tiny MCE in 7.2, the Tiny MCE files for this version (the util version still exists, used for the legacy property system) were placed in the add-on. You can probably register a VPP to override the files in the CMS add-on. Hopefully, this will be a temporary problem since we will do some restructuring of the files pretty soon. We will give more information about this when we have come a bit longer in that process.
This sounds great. Is it possible for me to register this VPP programmatically in a IInitializableModule? If so, how can this be done?
I am also looking into this and it could be good to know that the documentation for even 7.5 is wrong in this subject, not updated to how it works in 7.1. It says that everything is loaded from ~/util....
A have been able to override it by adding a VPP like this: <add name="TinyMCEPlugins" virtualPath="~/EPiServer/CMS/3.0.1097/ClientResources/Editor/tiny_mce/plugins/advimage" physicalPath="%SITEROOT%\Util\Editor\tinymce\plugins\advimage" type="EPiServer.Web.Hosting.VirtualPathNonUnifiedProvider,EPiServer" />. But it would be nice to know if it is possible to register this runtime by finding out which version of EPiServer is running. Is this possible, Linus?
I would go the way Linus suggest, that is create your own new plugin that is a copy of a existing and then add it, doing like that, you do not need to add any VPP pointing to a directory that will change on the next update från EPiServer.