Vulnerability in EPiServer.Forms
So I found a potential bug, when deleting a user via epi interface (SQL membership user). Say we create a new user with the username "firstname.lastname@example.org" (without the quotes oviously). and then we try to delete this user, the confirmation pops up with the selection of areas to also delete for this user, but the username on the confirmation is quoted as "test%40testing.com" and then when you confirm the delete, it tells that it failed to delete the user. I'm guessing because it's trying to delete test%40testing.com and not email@example.com (test%40testing.com does not exist obviously as a user).
Thoughts? Is this a documented bug?
Yes, this is a known issue. We have it reported in our bug system as:
#91051: Cannot delete user with @ in the user name
I can add to this that trying to delete a user with a space in the user name also fails. For example the user "Per Jungnelius" produces the following error: "Failed to delete user Per+Jungnelius."
From reading the bug report we encoded the name twice which made names containing characters that are encoded to not work. This bug has been fixed to the 7.5 release.
Quickfix until the bug has been fixed:
Although it displays "Page can not be loaded", the user is gone ! great! @Teresa Thanks for the workaround.