Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Optimizely - update 474

Release summary

New features for Optimizely Graph (formerly Optimizely Content Graph). Bug fixes for Optimizely Content Management System (CMS), Optimizely Graph and Optimizely Content Delivery API (headless). Security enhancement for Optimizely Google Analytics.

Released items September 22, 2023

Area ID Type Description Released
HAPI-2681
  Inconsistent behavior when you get expired content by Id and contentUrl

Fixed an issue that caused inconsistent behavior when you called CD to get expired content by Id and contentUrl. The Id returned 404 not found and contentUrl returned the  expired page.

EPiServer.ContentDeliveryApi 3.9.0;
Sep 22, 2023
HAPI-2682
  Url is not correct when the master language content and locale of machine is different from the master language

Fixed an issue that provided the incorrect URL when the local machine had a culture of en (for example), and you created content in master language (sv) and non-master language (en). When you called CD to get above content without setting accept-language, the content.url was linked to the en page.

EPiServer.ContentDeliveryApi 3.9.0;
Sep 22, 2023
HAPI-2703
  Add stop gap solution for non HTML output

You can get rich text stored in XhtmlString in a different structured delivery format than just an HTML string. 

EPiServer.ContentDeliveryApi 3.9.0;
Sep 22, 2023
CMS-30050
  Editing block with JsonIgnore attribute shows infinite loader

Fixed an issue where the blocks that used the JsonIgnore attribute caused the UI to display an infinite loader due to an error on handling the ignored property while editing the block.

EPiServer.CMS.UI 12.22.7;
Sep 22, 2023
GA-475
  Security Improvement

Improved security to mitigate a high-severity security vulnerability that might give an attacker access to sensitive data in the application.

Read more at: https://world.optimizely.com/blogs/bien-nguyen/dates/2023/9/vulnerability-in-episerver-googleanalytics--v3-and-v4/

EPiServer.GoogleAnalytics 3.0.2;
Sep 22, 2023
HAPI-2717
  Application synchronization may throw ConcurrencyException

Fixed an issue that caused a ConcurrencyException when the synchronization of application was configured from code and the web app was started with multiple instances simultaneous. The process was terminated due to an unhandled exception. 

EPiServer.ContentDeliveryApi 3.9.0;
Sep 22, 2023
HAPI-2697
  Could not get content by friendly URL if you set custom BaseRoute

Fixed an issue that returned login page content (instead of the 200 with detail content), when you set a custom {{BaseRoute}} and called to get the content by friendly URL.

EPiServer.ContentDeliveryApi 3.9.0;
Sep 22, 2023
HAPI-2513
  Call CMA to create content return error 500 if item of ContentArea contains null item

Fixed an issue that returned 500 with error Object reference not set to an instance of an object when you called CMA to create content if item of ContentArea was null.

EPiServer.ContentDeliveryApi 3.9.0;
Sep 22, 2023
HAPI-2693
  CD.Form hosted page does not resolve correctly

Fixed an issue that caused the {{IPageRouteHelper.ContentLink}} to return the Start page when you requested a CD endpoint and the host was language-mapped.

EPiServer.ContentDeliveryApi 3.9.0;
Sep 22, 2023

Optimizely Graph

New features for Optimizely Graph

  • CG-4187– New Feature – Return friendly URL for PropertyImageUrl and PropertyDocumentUrl

    Previously, Optimizely Graph returned permanent links but now also returns friendly URLs for PropertyImageUrl and PropertyDocumentUrl.

  • CG-2997– New Feature – Scheduled job shows "successful" even if issues occurred.

    The scheduled job was updated to meet the following criteria:

    1. The scheduled job completes only after Optimizely Graph has finished ingesting the content.
    2. The schedule may fail if Optimizely Graph does not respond with an appropriate message.
    3. If the scheduled job completes with errors, errors/affected journal Ids are listed in the scheduled job's log.
    4. As soon as a journal failed to handle, the job is stopped immediately.
    5. Get the job status every 60 seconds.
  • CG-4559 – New Feature – You can get notifications for content with specific status only

    Added a feature to let you specify one or more Statuses, such as Published and/or Draft, that triggers a notification.

  • CG-5094– New feature – Support Basic authentication with HMAC credentials

    To simplify HMAC authentication, Optimizely supports Basic authentication as an alternative, which takes appKey as username and secret as password.

    Usage: concat appKey and secret with column [:] character then encode value as base64. 

    The gateway implementation stores the auth object as HMAC auth on the tenant object.  For example:

    https://www.debugbear.com/basic-auth-header-generator
    Authentication: `Basic base64($appKey:$secret)`
  • CG-2876 – New Feature – Extend _fulltext field with Number, Date and Boolean types

    You can now extend the fulltext search to all types, such as set dates, integers and other types. This feature includes the following criteria:

    • Change the mapping to support Number, Date, and Boolean types
    • Update mapResponse in Gateway to collect Number, Date, and Boolean searchable type into _fulltext field (now only string)
  • CG-3895 – New feature – Create OpenAPI endpoint for content types 

    You can send content types for your source to Optimizely  Graph using an OpenAPI client, so you can use existing OpenAPI tools for synchronizing content types for your source; from your application. You can use any OpenAPI client of customers choose to synchronize content types to Optimizely Graph. The OpenAPI client must get the "contract" of JSON-body for sending content types. As default value for the id parameter, system omits the source_routing parameter on the cluster request. 

  • CG-3896 – New feature – Create OpenAPI endpoint for content (data)

    You can send content types for your source to Optimizely  Graph using an OpenAPI client, so you can use existing OpenAPI tools for synchronizing content types for your source; from your application. You can use any OpenAPI client of customers choose to synchronize content types to Optimizely Graph. The OpenAPI client must get the "contract" of JSON-body for sending content types. As default value for the id parameter, system omits the source_routing parameter on the cluster request. 

  • CG-4537 – New feature – Implement semantic search for English content (iteration 1), part 1 Cluster

    Added semantic search, which uses artificial intelligence (AI) to interpret the intention of a user query and the contextual meaning of terms as their occur to return more relevant results. Semantic search solves the “vocabulary mismatch” problem. The technology to implement this supports automating synonyms, clustering documents‍, detecting meaning and intent in queries, question answering, chatbots, and ranking search results.

  • CG-4639 – New feature – Implement semantic search for English content (iteration 1), part 2 Gateway

    Added semantic search, which uses artificial intelligence (AI) to interpret the intention of a user query and the contextual meaning of terms as their occur to return more relevant results. Semantic search solves the “vocabulary mismatch” problem. The technology to implement this supports automating synonyms, clustering documents‍, detecting meaning and intent in queries, question answering, chatbots, and ranking search results.

    • Implemented “neural search” query in Optimizely Graph query language when _fulltext is used with matching.
    • Added new ranking enum in Optimizely Graph query language, for example,  SEMANTIC and use this to activate neural search queries.
    • Semantic search is ignored for indexes without model, so reverts to standard ranking.
  • CG-5135 – New feature –  Add source routing to Journal endpoints

    As a Optimizely Graph user that has multiple content sources to synchronize to Optimizely Graph, you can record synchronization status in Journal service for each of my content source.

    The Journal service has the following endpoints:

    • GET  "/journal/stream/:journalId": get the indexing status of a QueueResult record
    • POST "/journal/indexing": create/update an indexing job record
    • POST "/journal/stream": creates a new QueueResult record
    • GET  "/journal/indexing/:indexingJobId": retrieves an indexing job by ID
    • GET  "/journal/indexing/:indexingJobId/status" : get the status of an indexing Job

    For each of the endpoint, you can pass the content source ID and retrieve/update the record for that content source only. If content source parameter is not provided, the Journal service returns data for the default source (CMS). Indexing contents for another source with /content/v2 endpoint should writes journal records with that source.

    For each endpoint, you can add a new optional parameter named sourceId as a querystring parameter. When creating new records, if the sourceId parameter is provided, it is added to the Journal record and the IndexingJob record. If sourceId is null/empty, it is not added to the record (for CMS - default source).

    When retrieving Journal or IndexingJob records, if the sourceId parameter is provided, query and filter the records by the sourceId parameter. If the sourceId is null/empty, only records without or with sourceId = null are returned (for CMS source).

Bug fixes for Optimizely  Graph

  • CG-2629 – [Postman] [status !=published] Name of Image File is not updated

    Fixed an issue where the result of a query did not return and updated name.

  • CG-5311 – GraphiQL is not loaded on Chrome and Firefox.

    Fixed an issue that prevented GraphiQL from loading in Chrome or Firefox.

  • CG-5130 – Optimizely Graph returns images that were deleted by the API in the CMS

    Fixed an issue where Optimizely Graph returned images that were deleted by the API in the CMS.

  • CG-5040 – "Root" and "Recycle Bin" are returned on Content Graph when the site is deployed to DXP.

    Fixed an issue that incorrectly returned the root and Recycle bin when you ran the following query.

    query MyQuery {
      Content(locale: ALL, orderBy: { Created: ASC }) {
        total
        items {
          Name
          Url
          ContentType
        }
      }
    }
  • CG-4634 – [Search Provider] returns Expired content

    Fixed an issue that returned expired content when you searched for property of Datetime, DateList, Double, IntegerList/Enumerable of Int, Int, or Boolean.

  • CG-4561 – Indexing job fails when ContentAreaItem property refers to a Nested InlineBlock.

    Fixed an issue that cause the indexing job to fail after creating a StandardPage that has ContentAreaItem property referring to an Inline Block.

  • CG-2625 – Optimizely Graph indexing job fails when changing status of a block including another block under For This Page.

    Fixed an issue where the Optimizely Graph indexing job failed if you changed the status of a block that included another block under For This Page.

  • CG-5103 – Delta Indexing not working when reindexing a deleted item

    Fixed an issue that did not index a content item that was previously set to deleted.

  • CG-4413 – Exception 'InternalServerError' when running autocomplete tests

    Fixed an issue that caused exceptions (The HTTP request failed with status code InternalServerError) when a number of tests were run at the same time; approximately 50% failed, but when each test was run individually, it passed.

  • CG-5042 – [Fuzzy Search] Issue with "contains" operator

    Fixed an issue with the contains operator that did not return data.

  • CG-4307 – The 'like' operator works incorrectly when using both a leading and trailing '%' character

    Fixed an issue where no item was returned for the like operator when you used both a leading and trailing % character.

  • CG-4433 – [Music Festival] Search param still returns undefined when searching with empty string

    Fixed an issue that displayed the search parameter as undefined when you searched the Music Festival demonstration site with an empty string.

  • CG-4434 – [Music Festival] Wrong search value when user click on the number of an item in facets

    Fixed an issue that returned an incorrect result when you used the search facets in Music Festival demonstration site. If you clicked the number on the right of a specific item, it got that number as a search value, which returned an incorrect search result.

  • CG-4868 – Should not return blank values for searchable properties in _fulltext search in Postman

    Fixed an issue where some blank values for the searchable properties that had no values filled were returned in _fulltext result with type of "".

  • CG-4872 – _fulltext search not returning value for Boolean searchable field if value = false

    Fixed an issue where the default value (false) for the _fulltext Boolean field did not display in the search results.

  • CG-5154 – When you get an error build schema, 400 should return instead of 500

    Fixed an issue that returned a 500 status instead of the correct 400 status when you synchronized content types with issues that caused GraphQL schema build errors with invalid ContentTypes.

  • CG-5272 – Content type changes not synchronized until running the full indexing job 

    Fixed an issue by adding documentation about how to configure synchronization of content type when the site starts.

  • CG-5303 – Content Graph content synchronization job is failed.

    Fixed an issue where the indexing job failed.

  • CG-3035 – Cursor : Should not show error 500 if user assign an incorrect value to cursor

    Fixed an issue that returned error 500 with the message: Oops, something went wrong. Please report us with request id. (It should have returned 0 items.)

Other product release notes

Related topics

Last updated: Sep 22, 2023