How To Change The Validation In WebForms for Marketers

I had a recent support ticket that a few customers complained that they couldn’t submit a Web Forms For Marketers (WFFM ) form with an & in it. Originally, the data entered into a WFFM form wasn’t encoded and the “<“, “>” and “&” characters have been disabled by default to prevent code injection.

sitecore_wffm_validation

When you submit a form you will usually see this error message ‘The {0} fields contains content that may present a security risk. Please enter appropriate information’

In my opinion, this really isn’t the best user experience. If someone is trying to use your contact form but doesn’t know exactly what they’ve done wrong, the chances they could turn tail and leave your website to never come back, increases and consequently you could lose business. In today’s tutorial, I’m going to cover some of the techniques you can use within Sitecore to overcome this problem.

Making The Error Message More User Friendly

This approach is probably the easiest to implement. Sitecore has added these implementations for a reason, security. Some people might want to stick with that approach, so creating a more descriptive error is a good starting place. There are two ways to override the default message, one on a per form basis and the other on a global basis.

Per Form Basis

If you want to update the message of a single form, open the content editor in master and navigate to the form in question. This is usually somewhere around ‘Sitecore’ -> ‘System’ -> ‘Modules’ -> ‘Web Forms for Marketers’ -> ‘Websites’

If you select the form you want to edit, wait for it to load and then in the top ribbon select the ‘Form Verification’ option.

sitecore_wffm_validation_3

You should see the above dialog, select the ‘Access Security Risk’ option, and then click the ‘Error Messages tab’ In here you can add in the text you want to display:

sitecore_wffm_validation_4

Global Basis

In your Sitecore desktop switch to the ‘core’ database (How To Switch Between The Core and Master Database in Sitecore). Open the content editor and navigate to ‘System’ -> ‘Dictionary’ -> ‘T’.

In here you will find two entries:

‘TWFM The 0 field contains content that may present a security risk Please enter appropriate info’

and

‘TWFM The 0 fields contains content that may present a security risk Please enter appropriate inf’.

If you open each of these and add the error message you want to display instead of the default phrase, within the ‘Phrase’ field and save the item. When you refresh Sitecore you should see your new error message displayed:

sitecore_wffm_validation_1

IMPORTANT All the values stored in the Core dictionary and cached. If you open up your webroot and look in the ‘temp’ folder, you should see a file called ‘dictionary.dat’. When you update any dictionary value, it is recommended that you delete this file and do an IIS reset (assuming you are working in development). This will force the dictionary values to update.

Disabling Validation Altogther

Now, I wouldn’t recommend this approach but it is possible to completely disable the validation for a particular form. In the ‘master’ database, go to your selected form, usually somewhere around ‘Sitecore’ -> ‘System’ -> ‘Modules’ -> ‘Web Forms for Marketers’ -> ‘Websites’.

If you select the form and wait for it to load. In the Ribbon, select the View tab and enable the ‘Raw Value’ option.

sitecore_wffm_validation_5

Now in the form, find the ‘Check Actions’ field. In here you should see a bunch of XML, that looks similiar to the below:

<?xml version="1.0" encoding="utf-16"?><li xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  <g id="{10FE9225-5E6C-4896-9CD2-880D6D48C4CC}" displayName="Check Actions">    <li id="{2D5B5061-747A-4477-BD41-E746EAFEB231}" unicid="89F18F7C96F4469A9470057CE421A115">      <parameters>&amp;lt;__messages&amp;gt;&amp;amp;lt;messages&amp;amp;gt;&amp;amp;lt;en&amp;amp;gt;gfdgdgdfgfd&amp;amp;lt;/en&amp;amp;gt;&amp;amp;lt;/messages&amp;amp;gt;&amp;lt;/__messages&amp;gt;</parameters>    </li>  </g></li>

Remove the

  • node with ID {2D5B5061-747A-4477-BD41-E746EAFEB231} from the “Check actions” field. This will delete the validation. WARNING, doing this you may open up your site to code injection depending on your set-up, so be warned and test your code.

 

Conclusion

In today’s post, we’ve covered the ‘Assess Security Risk’ option of WFFM. When dealing with forms with WFFM we have several options. The first option is to improve the user experience and make Sitecore produce a better validation message. This can be done either on a per form basis, or, globally.

Jon D Jones

Software Architect, Programmer and Technologist Jon Jones is founder and CEO of London-based tech firm Digital Prompt. He has been working in the field for nearly a decade, specializing in new technologies and technical solution research in the web business. A passionate blogger by heart , speaker & consultant from England.. always on the hunt for the next challenge

More Posts

2 replies
  1. Jen Rose
    Jen Rose says:

    Hi, I have done this successfully in v6.6, but in 8, when I remove the node I get errors about the g and li syntax. What EXACTLY do you remove? I had done this following instructions to remove the text that starts with and that’s it. That does leave two in the string . Should I also remove another? Or, is NODE actually more? Thanks. This is key to a process we created in a secure environment that prevents hacking, but where we want our form to allow URLs in escape code.

    Reply
    • Jon D Jones
      Jon D Jones says:

      When I tested it in 7.5, I removed the ‘

    • ‘ completely and it worked. I’m in the process of upgraaign to 8 now, so if I test it still works in 8 I’ll let you know 🙂
    • Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *