In this tutorial, you will learn how to change the default validation rules within Sitecore's Web Forms For Marketers (WFFM). One annoying nuance is that certain characters added into a WFFM will fail the validation. Web security is important, however, there are times when you want to allow characters like <, > and &. If you find yourself with a similar need, this is the tutorial for you 🔥🔥🔥

When you submit a form using WFFM that fails validation you will usually see this error message:

The {0} fields contains content that may present a security risk. Please enter appropriate information

How To Change The Validation In WebForms for Marketers 1

In my opinion, this really isn't the best user experience. If someone is trying to use your contact form but doesn't know exactly what they've done wrong, the chances they could turn tail and leave your website to never come back Consequently you could lose business. Hos can we solve this problem?

Making The Error Message More User Friendly

This approach is probably the easiest to implement. Sitecore has added these validations for a reason, security. Some people might want to stick with that approach, so creating a more descriptive error is a good starting place. There are two ways to override the default message, one on a per form basis and the other on a global basis.

Per Form Basis: If you want to update the message of a single form, open the content editor in master and navigate to the form in question. This is usually somewhere around:

SitecoreSystemModulesWeb Forms for MarketersWebsites'

Select the form you want to edit, wait for it to load and in the top ribbon select the Form Verification' option and you should see the below dialogue:

How To Change The Validation In WebForms for Marketers 2

Select the Access Security Riskoption, and click the Error Messages tab. Here, you can add in the text you want to display:

How To Change The Validation In WebForms for Marketers 3

Global Basis: In your Sitecore desktop switch to the core database (How To Switch Between The Core and Master Database in Sitecore). Open the content editor and navigate to:

SystemDictionaryT

Here you will find two entries:

  • TWFM The 0 field contains content that may present a security risk Please enter appropriate info
  • TWFM The 0 fields contains content that may present a security risk Please enter appropriate info

To change these error messages update the Phrase field for each item with something more user friendly. Save the item. When you refresh Sitecore you should see your new error message displayed:

How To Change The Validation In WebForms for Marketers 4

All the values are stored in the Core dictionary and cached. If you open up your webroot and look in the 'temp' folder, you should see a file called dictionary.dat. When you update any dictionary value, it is recommended that you delete this file and do an IIS reset (assuming you are working in development). This will force the dictionary values to update.

Disabling Validation Altogether: I wouldn't recommend this approach in terms of security, however, it is possible to completely disable the form validation. To do this, open the 'master' database and go to your selected form. You can usually find your forms from within a web page. These are usually located here:

SitecoreSystemModulesWeb Forms for MarketersWebsites

Open the form and in the top ribbon, select the View tab. From here enable the Raw Value option:

How To Change The Validation In WebForms for Marketers 5

Now in the form, find the Check Actions field. In here you should see a bunch of XML, that looks similar to the below:

Remove the node with ID {2D5B5061-747A-4477-BD41-E746EAFEB231} from the "Check actions" field. This will delete the validation.

WARNING: By doing this you may open up your site to code injection depending on your set-up, so be warned and test your code ❌


In today's post, we've covered the 'Assess Security Risk' option of WFFM. When dealing with forms with WFFM we have several options. The first option is to improve the user experience and make Sitecore produce a better validation message. This can be done either on a per form basis, or, globally.