Wednesday, January 18, 2017

Sitecore WFFM field contains content that may present a security risk

Users of a web forms for marketers form in production started raising issues with validation on the form which was returning the following message:
The [field name] field contains content that may present a security risk. Please enter appropriate information
This is traced back to the Assess Security Risk, Form Verification action. Effectively what this piece of code is doing is checking to ensure that fields in a WFFM form do not contain any of the following characters: "<", ">" and "&".

The users of the form where using and ampersand ("&") character - and this was required for form functionality.

There are two potential solutions to fix this issue on the form.

Removing the Assess Security Risk action

  1. In the content editor navigate to the web form
  2. In the view options (top ribbon) turn "Raw Values" on
  3. In the submit section, locate the "Check Actions" field
  4. Remove the following section from the field's XML value
  5. Disable the "Raw Values" view option 
<li id="{2D5B5061-747A-4477-BD41-E746EAFEB231}" unicid="89F18F7C96F4469A9470057CE421A115"><parameters /></li> 
Effectively this clears out the "Check Actions" node of the XML, however if you have added custom actions you will need to ensure the correct one is removed.

Modifying the Assess Security Risk code

  1. Create your own version of the Assess Security Risk code, the example below removed the check for the ampersand ("&")
  2. Navigate to the action's configuration - /sitecore/system/Modules/Web Forms for Marketers/Settings/Actions/Form Verification/Assess Security Risk
  3. Update the assembly field to that of your custom DLL
  4. Update the class field to that of your custom class
  5. Publish the item
using Sitecore.Data;
using Sitecore.Form.Core.Configuration;
using Sitecore.Form.Core.Controls.Data;
using Sitecore.Form.Core.Submit;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Web;

namespace MyProject.WFFM.Validators
    public class AssessSecurityRisk : BaseCheckAction
        public string FailedMessage { get; set; }

        public override void Execute(ID formid, IEnumerable<ControlResult> fields)
            List<string> stringList = new List<string>();
            foreach (ControlResult field in fields)
                if (field.Value != null)
                    string str = HttpUtility.HtmlDecode(field.Value.ToString());
                    if (str.StartsWith("<item>"))
                        str = str.Replace("<item>", string.Empty).Replace("</item>", string.Empty);
                    if (str.IndexOfAny(new char[2] { '<', '>' }) >= 0)
            if (stringList.Count > 0)
                throw new Exception(string.Format(this.FailedMessage ?? (stringList.Count == 1 ? ResourceManager.Localize("VALIDATE_INPUT_FAILED") : ResourceManager.Localize("VALIDATE_INPUT_FAILED_MULTIPLE")), (object)string.Join(", ", stringList.ToArray())));

        public override ActionState QueryState(ActionContext context)
            return ActionState.DisabledSingleCall;

No comments:

Post a Comment