'IF macros' security issue in widgets (portal engine)

Dragoljub Ilic asked on January 7, 2019 13:55

Does anyone faceted with a problem that all IF macros in widgets (for portal engine) breaks because of security issue (event code: CHECKSECURITY) after resigning all macros? We have a macro expression in default value field on a widget and if HTML is inside of the macro, after resigning macros all of them crash. Here is code sample of macro:

{% if(!String.IsNullOrWhiteSpace(Title)) { %}
<h1>{%Title%}</h1>
{% } #%}

If there is no any HTML tags, then it works fine. We already tried to change hash salt and we always used Global Administrator user (added as identity as well) but issue still occurs. If we remove that wigdet from page and add it again, then it works without any problem. We are using version 11.0.29 upgraded from version 10 long time ago without any issues (not sure if it is related at all).

Thanks, Dragoljub

Correct Answer

Dragoljub Ilic answered on January 9, 2019 10:29

Sorry for late response, we managed to handle this situation by moving all macros and code into separate transformations and then modified codebehind and ascx to get content from transformations. It's not ideal solution because we did some extra work on widgets to implement it, plus on that we went through ALL already existing widgets and re-save it to update/remove macros from them. This solution is still better then removing and adding all content/widgets again because site is already filled in with content. After resigning, macros are not breaking because, technically they are not in widgets anymore.

I will mark this answer as a correct because it solved my problem, but there is still a lot of room for improvements.

Best regards, Dragoljub

0 votesVote for this answer Unmark Correct answer

Recent Answers

Brenden Kehren answered on January 7, 2019 15:40

I too have found the only fix for the majority of these issues is to remove the widget and add it back. OR modifying the macro in the widget and setting it back to what it should be. Seems that's the only fix for it. Somethign weird about widget macros not resigning, esepecially if that macro is in a widget's content.

0 votesVote for this answer Mark as a Correct answer

web dev answered on January 7, 2019 18:27 (last edited on December 10, 2019 02:31)

hello Dragoljub Ilic can you try this macro in your widget

 {% if(Title.Tostring() != "") { %}
 <h1>{%Title%}</h1>
  {% } |(identity)GlobalAdministrator%}
0 votesVote for this answer Mark as a Correct answer

Dragoljub Ilic answered on January 7, 2019 20:37

@Brenden, I don't think that modifying macro will help because it's added as default value and won't change anything on already existing widgets. Problem with removing and adding widgets again has a big impact to whole site, because content need to be recreated again and if/when resign macros in a future, problem will pop up. I kinda hoped that there is some decent solution to handle this issue with resigning macros which will bypass removing and adding widgets.

@web dev, I added that macro on widget and after resign, issue pops up again.

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on January 7, 2019 20:57

@Dragoljub, yeah it wasn't so much the default value of the webparts, it was the actual content on the "Page" view. There were a lot of macros directly inline in the content which caused me a lot of headaches.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.