Forem: Jason Elkin

Mitigating CVE-2025-67288 in Umbraco (if you feel you need to)

Jason Elkin — Wed, 04 Feb 2026 02:49:57 +0000

Firstly, this is a really ill-informed CVE. If you've not read my comment on the Umbraco Forum, I'll repeat the key bits, otherwise feel free to scroll down to the good stuff.

A bit about CVE-2025-67288

If you want the details you can read the full CVE at nvd.nist.gov. Umbraco is in the process of disputing it.

Let me break down why I think it's mostly nonsense...

Remote Code Execution?

It’s an attention grabbing PoC..

Upload a crafted PDF file containing embedded JavaScript.
Observe that JavaScript from the PDF executes in the browser.

But what does Umbraco have to do with that? You could upload the file anywhere - in fact, and click this link if you dare, I've uploaded that file to a GitHub pages site.
Does that mean GitHub is vulnerable to a CWE-434…? No, and neither is Umbraco.

This is what a CWE-434 means...

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Emphasis mine, but this "CVE" doesn’t pass that test. Umbraco doesn't process the PDF such that arbitrary code can be run on your Umbraco site.

So, remote code execution worthy a CVSS score of 10.0? No.

Is is really XSS?

Look more closely at the XSS (Cross Site Scripting) claim. Where does the JavaScript actually run? In the browser, sure, but it’s not run in the context of the Umbraco site (or GitHub.io, if you were brave and clicked the link above). It’s sandboxed by the browser and not treated like it’s running on your domain at all.

This is such a common misconception that Chromium has an FAQ titled "Does executing JavaScript in a PDF file mean there's an XSS vulnerability?". Spoiler alert, the answer is no.

It's JavaScript, but not as we know it

It doesn’t have access to any important browser APIs - i.e. no fetch() or document.cookies etc. in fact if you look at the alert itself you’ll see it’s calling app.alert()… that’s not a web browser API but a PDF one :face_with_monocle:

If you try and craft a more complex JavaScript payload you’ll quickly find that the browser will block any APIs that could present a real risk to the user.

Even if you could craft malicious JavaScript that executes in a browser, that CVE would really be the browser’s problem, not Umbraco’s.

If you're feeling extra nerdy, you can have a read of the design doc for the PDF Viewer in Chromium. It talks about sandboxing, what kinds of JavaScript execution are allowed, and why.

Obviously there’s still a potential social engineering/phishing angle with these crafted PDFs… but that’s a whole different issue.

But good news, you can still mitigate against it!

Enter the IFileStreamSecurityAnalyzer

It's a simple interface you can implement that Umbraco will then run uploaded filestreams through so you can add any logic you want to check if the files are safe.

public interface IFileStreamSecurityAnalyzer
{
    /// <summary>
    /// Indicates whether the analyzer should process the file
    /// The implementation should be considerably faster than IsConsideredSafe
    /// </summary>
    /// <param name="fileStream"></param>
    /// <returns></returns>
    bool ShouldHandle(Stream fileStream);

    /// <summary>
    /// Analyzes whether the file content is considered safe
    /// </summary>
    /// <param name="fileStream">Needs to be a Read/Write seekable stream</param>
    /// <returns>Whether the file is considered safe</returns>
    bool IsConsideredSafe(Stream fileStream);
}

The docs have a nice example showing you how to protect against a potentially malicious SVG file.

In a similar fashion we can implement our own class that will read a PDF, look for any JavaScript, and return false when IsConsideredSafe() is called.

Notice the ShouldHandle() method only takes the stream. File extensions don't necessarily match up with what's actually in a file so we need to check the contents first to see if this is actually a PDF. A quick way of doing that is to parse just the file signature in the file's header.

There's a package for that!

dotnet add package FileSignatures

Then for the PDF reading, I'm using PdfPig:

dotnet add package PdfPig

Here I need to add a disclaimer. The following code is based on something I'm using in production but the PDF library I'm using has rather restrictive/expensive licensing and I wanted to give you a demo that "Just Works" with some friendly OSS libraries - so I asked AI to help me rewrite this for PdfPig.

Basically, it just looks for certain types of object in the document and, returns false if it finds them.

Why so complex? This is partly down to the library we're using here and partly down to how PDFs work. You can stuff pretty much anything in a PDF and the structure doesn't have to be as predictably formed as, say, an XML file. Different PDF libraries parse the document differently into their own DOM too. Here we have to iterate over everything in the PDF to check if it's the kind of object were looking for. Other PDF libraries keep track of every element in a separate dictionary that you can use to do a quicker lookup on.

internal class PdfSecurityAnalyzer(
    ILogger<PdfSecurityAnalyzer> logger,
    IFileFormatInspector fileFormatInspector) : IFileStreamSecurityAnalyzer
{
    private static readonly HashSet<string> _suspiciousKeys =
    [
        "AA",           // Additional Actions
        "OpenAction",   // Actions triggered on document open
        "JS",           // JavaScript Stream
        "JavaScript",   // Explicit JavaScript name
        "Launch",       // Launch external applications
        "SubmitForm",   // Form submission (potential data exfiltration)
        "ImportData"    // Import external data
    ];

    public bool IsConsideredSafe(Stream fileStream)
    {
        fileStream.Position = 0;

        var options = new ParsingOptions { UseLenientParsing = true };

        try
        {
            using var document = PdfDocument.Open(fileStream, options);
            var visited = new HashSet<IndirectReference>();

            // Check the entire document structure starting from catalog
            if (ContainsSuspiciousContent(document.Structure.Catalog.CatalogDictionary, document, visited))
            {
                return false;
            }

            return true;
        }
        catch (Exception ex)
        {
            logger.LogWarning(ex, "Failed to parse PDF for security analysis");
            return false;
        }
    }

    private bool ContainsSuspiciousContent(IToken token, PdfDocument document, HashSet<IndirectReference> visited)
    {
        return token switch
        {
            null => false,
            DictionaryToken dict => CheckDictionary(dict, document, visited),
            ArrayToken array => CheckArray(array, document, visited),
            IndirectReferenceToken refToken => CheckIndirectReference(refToken, document, visited),
            StreamToken stream => ContainsSuspiciousContent(stream.StreamDictionary, document, visited),
            ObjectToken objToken => ContainsSuspiciousContent(objToken.Data, document, visited),
            _ => false
        };
    }

    private bool CheckDictionary(DictionaryToken dict, PdfDocument document, HashSet<IndirectReference> visited)
    {
        // Check for suspicious keys
        foreach (var keyName in dict.Data.Keys)
        {
            if (_suspiciousKeys.Contains(keyName)) return true;

            // Subtype Check: /S /JavaScript
            if (keyName == "S" 
                && dict.TryGet(NameToken.S, out NameToken subtype)
                && subtype.Data == "JavaScript")
            {
                return true;
            }
        }

        // Recurse into all dictionary values
        return dict.Data.Values.Any(value => ContainsSuspiciousContent(value, document, visited));
    }

    private bool CheckArray(ArrayToken array, PdfDocument document, HashSet<IndirectReference> visited)
    {
        return array.Data.Any(item => ContainsSuspiciousContent(item, document, visited));
    }

    private bool CheckIndirectReference(IndirectReferenceToken refToken, PdfDocument document, HashSet<IndirectReference> visited)
    {
        if (visited.Contains(refToken.Data)) return false;

        visited.Add(refToken.Data);

        try
        {
            var actualToken = document.Structure.GetObject(refToken.Data);
            return ContainsSuspiciousContent(actualToken, document, visited);
        }
        catch
        {
            return false;
        }
    }

    public bool ShouldHandle(Stream fileStream)
    {
        var format = fileFormatInspector.DetermineFileFormat(fileStream);

        if (format is Pdf)
        {
            return true;
        }

        return false;
    }
}

And then to register it, use an IComposer:

public class RegisterFileStreamSecurityAnalysers : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        var recognised = FileFormatLocator.GetFormats().OfType<Pdf>();
        var inspector = new FileFormatInspector(recognised);
        builder.Services.AddSingleton<IFileFormatInspector>(inspector);

        builder.Services.AddSingleton<IFileStreamSecurityAnalyzer, PdfSecurityAnalyzer>();
    }
}

Notice I'm configuring the FileFormatInspector to only look for PDFs, which is better for performance but you can add multiple file types or configure it to look for all types known by the library - have a look at the GitHub Repo for more info.

With the above code implemented, try and upload a PDF containing JavaScript (like the perfectly benign one I linked to above), and you'll get this lovely error message.

You may get some false positives, but this was all about false positives really, wasn't it...

The Bot That Shouldn’t Have Taken Down My Umbraco Site, and the WAF Rule That Fixed It

Jason Elkin — Fri, 21 Nov 2025 11:19:36 +0000

This week, one of our sites was brought down by a Denial of Service attack. It wasn’t really a DoS attack, i.e. I’m sure that wasn’t the attackers’ aim, but the attack did cause a Denial of Service nonetheless.

It was clear a bot was spamming the site with several thousands of requests per minute, but that in itself was well within the threshold that we’d expect the site to be able to handle - this is a modern Umbraco site with load-balancing/auto-scaling and a well optimized codebase after all.

So, what was going on?

The problem was the nature of the traffic – form submissions. Shedloads of form submissions, being made to both Umbraco forms and our custom surface controllers, that were causing errors.

It was those errors that contributed to a significant degradation in performance, leaving us with some challenges that we had to find a way to overcome:

1. Umbraco Forms

Umbraco Forms has a honeypot field built-in – this is a hidden text field that looks tempting to bots, so they fill it in. If a form is submitted with a value in that field, Umbraco Forms will reject the submission. The bot hitting our site was totally falling for the honeypot - great! So what’s the problem? When Umbraco Forms rejects that submission it also logs that rejection.

Logging is a non-trivial concern in performance-critical applications. In Umbraco, every log entry is a disk write operation by default. So, although the site would normally be able to handle this level of traffic easily, these POST requests are resulting in a disk write (which in an Azure Web App is actually a network request under the hood) – gobbling up IO and slowing the site down.

2. Surface controllers

We had a bigger problem with our surface controllers. Surface controllers use a hidden ufprt field to store an encrypted value for routing form submissions. If there’s a problem with this field, i.e. Umbraco can’t decrypt it, an error is thrown.

The bot spamming us was stuffing that field with SQL in the vain hope of carrying out an SQL Injection. Of course Umbraco was unable to decrypt that into a valid ufprt value so threw an error.

So, just like with Umbraco Forms we have an error being logged for each of these requests, with the added overhead of an Exception being thrown.

2.1 reCAPTCHA

There was another problem with our surface controllers: reCAPTCHA.

Like a lot of other .NET projects, we use an attribute on our controllers to handle reCAPTCHA validation. The problem is that this validation was running before Umbraco tried to decrypt the ufprt field – so as well as the exception and extra writes to disk, every request was also making an HTTP request to the reCAPTCHA API, gobbling up precious TCP threads.

We're serving all these requests!

On top of the errors themselves, we’re then returning a 500 error page for most of these requests.

These are dynamic/server-rendered pages on this site so they are using compute – it’s not a big deal, but we don’t want to be wasting those resources on bot requests.

Considerations

Sure, we could look at each of the individual problems above and solve for them but…

I still want to know about errors, so I need logging.
I still want to use reCAPTCHA to validate form submissions, especially from bots.
I still want to serve dynamic error pages (though there’s an argument to be made for better caching).

For legitimate traffic, I still want all of this to happen. For illegitimate traffic I don’t want our app to be responding at all - it’s a waste of resources. In fact, W3C’s Web Sustainability Guidelines recommend filtering suspicious activity for this reason.

We should be blocking this traffic at the edge, and that’s a job for the WAF - In this case Cloudflare.

The Solution

It’s time for a new WAF rule.

Fortunately, there’s a really simple rule that we can deploy in Cloudflare to block this traffic.

I set up a new Rate Limiting Rule with an expression that matches all POST requests, then rate limited it to 20 POST requests per IP address every 20 seconds before issuing a challenge.

No legitimate user is going to be making more than 20 POST requests in 20 seconds. You might even think that’s a little high, but we can only rate-limit by IP address, and multiple users will legitimately be sharing a single IP.

Here’s what that looks like in the portal:

The Result

3 million requests have been blocked since I deployed that rule yesterday and, most importantly, the site has remained online and performant for legitimate users throughout.

Win.

Yet another CORS in Umbraco post

Jason Elkin — Thu, 06 Mar 2025 11:05:18 +0000

I don't know how many blog, forum, and Discord posts I've read about how to set up CORS for a headless site in Umbraco. It feels like a lot. None of them worked for me 😥

It's probably just the usual problem of incorrect middleware order, which is always slightly tricky in Umbraco as some of the pipeline configuration is abstracted away.

What am I trying to do?

POST a form, via the Fetch API, from the frontend of my Headless site to my Umbraco instance backend.

The Problem

CORS. It's there to keep us all safe, but it can be a pain to configure.

Fortunately there's a built-in CORS middleware in ASP.NET Core that can be configured

The Catch

I can't modify Startup.cs. Well, I could but it would ruin my project's architecture. The headless features are added in a separate assembly to the site's Core and Web code. The idea is that we can just drop the headless library into a baseline project to "switch on" headless functionality.

The Solution

Below is what is now working for me.

This composer lives in my BaseProject.Headless library and adds the appropriate CORS, so long as a frontend URI is set.

public class Composer : IComposer
{
    private const string FrontendCorsPolicyName = "FrontendCorsPolicy";

    public void Compose(IUmbracoBuilder builder)
    {

        if (Uri.TryCreate(builder.Config.GetSection("Headless:FrontendUrl")?.Value, UriKind.Absolute, out Uri? frontendUri))
        {
            builder.Services.AddCors(options =>
            {
                options.AddPolicy(FrontendCorsPolicyName, corsPolicyBuilder =>
                {
                    corsPolicyBuilder.WithOrigins(frontendUri.ToString())
                    .SetIsOriginAllowed(origin => new Uri(origin).Host == "localhost")
                    .AllowAnyHeader()
                    .AllowAnyMethod();
                });
            });

            builder.Services.Configure<UmbracoPipelineOptions>(options =>
            {
                options.AddFilter(new UmbracoPipelineFilter(FrontendCorsPolicyName)
                {
                    PrePipeline = app =>
                    {
                        app.UseCors(FrontendCorsPolicyName);
                    },
                });
            });
        }
    }
}

Of special note is this:

corsPolicyBuilder.SetIsOriginAllowed(origin => 
  new Uri(origin).Host == "localhost"
)

This is here because we can't guarantee devs running the frontend locally will be using any specific port (or scheme) - this should probably be wrapped in an environment check.

When does != true != !true?

Jason Elkin — Wed, 13 Dec 2023 10:56:33 +0000

This is a rather contrived tongue-in-cheek edge case, and super nerdy... but I have some code that does this:

Console.WriteLine(liar == true); // True
Console.WriteLine(liar != true); // True
Console.WriteLine(!liar); // False

WHY!?!

Partly because I'm a contrarian, but also to highlight something that we might take for granted in C#.

@leekelleher wrote a great article about his take on coding standards where he compares two different ways of doing the same thing, specifically this:

if(!string.IsNullOrWhiteSpace(input)) { 
  //... 
}

// or

if(string.IsNullOrWhiteSpace(input) == false) { 
  //... 
}

Lee points out that functionally (and even in IL) these two lines of code are exactly the same (and for string.IsNullOrWhiteSpace() that will almost certainly always be the case), but they don't have to be the same...

Logically these lines of code are doing something different, which shouldn't be a surprise because they are different.

If we do away with the method being invoked, which returns a bool, and the if then we can focus a bit on the logic.


var x = !a; // x IS NOT a.

var x = a == false; // x IS (a EQUALS false).

That first line is a logical negation. The second line is an equality comparison against a (static) false value. These are using different operators, and in C# operators are implemented explicitly and independently and can be overridden.

What do I mean by that? let's take a look at some code from my (very naughty) Liar struct.

Jason's Evil Liar Struct

BTW, don't do this 🙈.

public struct Liar(bool isTrue)
{
    private readonly bool _true = isTrue;

    public static bool operator ==(Liar left, bool right)
    {
        return left._true == right;
    }

    public static bool operator !=(Liar left, bool right)
    {
        return left._true == right; // 😈
    }
}

Here I'm defining what should happen when someone compares my Liar struct to a bool. You can, of course, spot the deliberate mistake.

The point is, != and == invoke different methods, i.e. != is not simply a logical negation of ==. This means that a != b is not doing the same as !(a == b) and vice versa.

So what about the logical negation operator? You'd be forgiven for thinking that a has to be a bool for !a to work, but that's not the case. It could be anything that has the implicit operator for a bool defined (or the true/false operators). That's right JavaScript fans, you can make truthy/falsey types in C# 😬.

Here's the code for implicit operator that lets me use my Liar struct as if it's a bool:

public static implicit operator bool(Liar liar)
{
  return liar._true;
}

Now we can do this:

Liar liar = new(true);

if (liar)
{
  //
}

We can also add an implicit operator so that we don't even need to create an instance of Liar, and can just assign true to it:

public static implicit operator Liar(bool isTrue)
{
  return new(isTrue);
}

Now we can do this:

Liar liar = true;

Yeah, but this never happens in the real world

Unless someone does something silly... and people never do silly things...

Though that's not really my point, there are a few other things I'd like you to take away from this:

1. Code that looks like it's doing something different, is doing something different

Two lines of code that look like they're doing something different almost always are doing something different, even if the outcome is functionally the same.

Sure, in the real world the difference between !string.IsNullOrWhiteSpace(input) and string.IsNullOrWhiteSpace(input) == false is largely academic, so you can choose what works for you. But that's not necessarily going to be the case all the time, and being aware of the difference here might just save you a few hours of debugging one day.

2. In C# we can choose how operators work

At least with our own code, it's called operator overloading. https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/operator-overloading

I've known some C# devs get confused by equality in JavaScript with ==, ===, !=,!== and truthy/falsely logic like !someString. In many ways this is actually a lot simpler than C# because it is what it is, and we can't change it.

In C# all bets are off - you have complete control in defining how operators work with the classes/structs etc. that you define.

This is actually a super powerful feature of C# and I love it when library authors implement it to improve the developer experience, like this example:

var ratio = new(16,9);
if(ratio == "16:9")) //😙👌

3. You can write operators to compare pretty much anything!

My Liar is just a wrapped bool to make a silly example, but we can have any logic inside these operators and use them for more complicated types.

There's also no limit on what types you can add operators for, here I've just added code to compare Liar with bool but we can write code to compare our types to anything.

Thanks for nerding out with me...

If you've not had a go at overloading operators in your own types before, why not give it a try?

I'm sure you've got classes that would be useful if they could be compared against a string value, like the ratio example above, or an int or whatever.

Here's the full example Liar struct

public readonly struct Liar(bool isTrue) : IEquatable<bool>
{
    private readonly bool _true = isTrue;

    public static bool operator ==(Liar left, bool right)
    {
        return left._true == right;
    }

    public static bool operator !=(Liar left, bool right)
    {
        return left._true == right; // 😈
    }

    public static implicit operator bool(Liar liar)
    {
        return liar._true;
    }

    public static implicit operator Liar(bool isTrue)
    {
        return new(isTrue);
    }

    public override bool Equals(object obj)
    {
        return obj is Liar liar && liar._true == _true;
    }

    public override int GetHashCode()
    {
        return _true.GetHashCode();
    }

    public bool Equals(bool other)
    {
        return _true == other;
    }
}

Why I built an Umbraco package that does "nothing"

Jason Elkin — Tue, 28 Jun 2022 06:52:56 +0000

Well, maybe not nothing, but definitely null.

Consider this problem: You have a temperature property on a page, and that property is optional. How do you distinguish between no value, and 0°C in your code?

By default, a blank decimal or integer property in the Umbraco backoffice will come out the other side of the default property value converter with the default value of 0. This means to be able to differentiate between an empty value and 0 you need to do some extra work.

How I used to do it

Nested content. It works out-of-the-box and is very intentional. The property inside the nested content needs to be required and the editor can choose to "add" a temperature value, or leave it empty.

But it's not pretty, and it's a rather clunky flow for editors.

The backoffice already knows the difference

The backoffice already distinguishes between an empty value and a 0 in a decimal/integer property. In this screenshot Temperature is "0", but Temperature 2 is empty.

So all we need is a nice way of differentiating between empty and 0 values in our code.

Make those values `nullable`!

This is a good place to make use of nullable value types, because these are nullable values! Umbraco even already stores them as NULL in the database. So instead of our decimal property returning a decimal value type, we can make it return a decimal? type.

Do it yourself

To do this we'll need to use a new property value converter that can return a null.

Inherit from (or use the decorator pattern) to make a new class that replaces the ConvertSourceToIntermedia Method of the Umbraco.Cms.Core.PropertyEditors.ValueConverters class. Making it nullable is actually quite straightforward.

public object? ConvertSourceToIntermediate(
    IPublishedElement owner,
    IPublishedPropertyType propertyType,
    object? source,
    bool preview)
{
    if (source is null)
    {
        return null;
    }

    // is it already a decimal?
    if (source is decimal)
    {
        return source;
    }

    // is it a double?
    if (source is double sourceDouble)
    {
        return Convert.ToDecimal(sourceDouble);
    }

    // is it a string?
    if (source is string sourceString && decimal.TryParse(sourceString, NumberStyles.AllowDecimalPoint | NumberStyles.AllowLeadingSign, CultureInfo.InvariantCulture, out decimal d))
    {
        return d;
    }

    // couldn't convert the source value - default to null
    return null;
}

My site makes use of Nullable Reference Types so, as I am returning null, I need to change the return type from object to object?. This means I can't simply inherit, so my class is actually a decorator:

public class NullableDecimalConverter : IPropertyValueConverter
{
    readonly IPropertyValueConverter coreConverter = new DecimalValueConverter();
...

You can see the full example of the class in my package's repo.

Because property value converters are type-scanned at startup, and you can only only have one property value converter for a type at a time, you will need to replace DecimalValueConverter with NullableDecimalConverter at startup.

There's a package for that

As well as decimals, there are a number of other property types that return value types that should probably be able to return null values.

Date Picker - default value is 0001-01-01 00:00:00
Integer - default value is 0
Labels

So I created a package called Emptiness:

It adds nullable property value converters for the property types mentioned above, as well as a bonus...

Toggles (True/False)

Though toggles don't have a null state in the UI, they can be empty if:

A property has been added to a content type, but some content of that type has not been (re)published since.
Content has been created via the API, without the property value having been set.

In these cases the following converters might be useful:

YesNoDefaultConverter which returns the "Initial State" (default) value that has been configured in the property editor's settings.
NullableYesNoConverter, returns null if content hasn't yet been (re)published with the property.

Getting started

Just install it from NuGet and go.

> dotnet add package Our.Umbraco.Emptiness

There's a default configuration that I think will make sense for most sites. It makes empty integer, decimal and date pickers null when empty and makes Toggle's return their default value.

After installing & configuring rebuild your ModelsBuilder models and you'll see the relevant properties have been made nullable (so you'd better null-check them 😉).

Feedback please 🙏

The package is still pretty new, and I'm only using it in anger on one site, so I really welcome any feedback/issues etc.

It's somewhat different to what we're used to when working with properties in Umbraco, but I've found nullable values are a much better way of taking what's happening in the backoffice editor UI and surfacing that in our website code.

Enabling non-unique node names in Umbraco 9

Jason Elkin — Wed, 16 Mar 2022 09:41:45 +0000

By default Umbraco doesn't let you have two documents with the same name underneath the same parent. I needed to change that.

If you're wondering why...

(if not, skip to the how)

In my particular case this is for news articles and event pages.

My news and event pages use a custom IUrlProvider and IContentFinder (as per the docs) so that my news and events pages can have URLs like this:

/events/2022/03/16/my-awesome-event/

I have multiple events with the same name, but I want to keep all of my events underneath a single parent node in the backoffice. By default, if I create two events called "My Awesome Event" beneath the same node in the backoffice I'll end up with "My Awesome Event" and "My Awesome Event (1)", like this:

The URL changes too:
/events/2022/03/16/my-awesome-event/
/events/2022/04/20/my-awesome-event-1/

I could use date "folders", and automate this by moving the articles/events on save, but this adds extra nodes and hierarchy that I don't want or need. Having them all in one list view will make for a much nicer editor experience (in this site).

A bit of googling reminded me that in v7 we had the option to set ensureUniqueNaming to false in the config. That's not available in v8, and was a bit of a blunt instrument anyway.

Turns out that in v9 (and probably in v8 too, but I haven't checked) there's a smarter way...

Here's how

EnsureUniqueNaming is still a property on the DocumentRepository and it's used to determine if the repository allows non-unique names. It's set to false, and I thought about inheriting this class and simply setting this to true - but that would set it to true for all content, and that seems risky. I have routing in place to make sure that non-unique names for my news/events don't matter, but if when an editor creates a page with a duplicate name elsewhere it just wont work.

Fortunately, there's an overridable method that means we can be a bit smarter - EnsureUniqueNodeName.

In this method I have access to the parent id, so I can check where I'm saving content and conditionally decide to allow duplicate node names or not.

Here's what I ended up doing:

public class CustomDocumentRepository : DocumentRepository
{
    private static readonly string[] allowNonUniqueChildNames = { EventsPage.ModelTypeAlias, NewsPage.ModelTypeAlias };

    // constructor ommited for brevity

    protected override string EnsureUniqueNodeName(int parentId, string nodeName, int id = 0)
    {
        var parent = this.Get(parentId);

        if (allowNonUniqueChildNames.InvariantContains(parent.ContentType.Alias))
        {
            return nodeName;
        }

        return base.EnsureUniqueNodeName(parentId, nodeName, id);
    }
}

In this case the content type aliases are taken from my ModelsBuilder models.

Thanks to Dependency Injection, it's super easy to replace the existing repository with our custom one. Here's an example using startup.cs, make sure to either add the service after the AddUmbraco extension or add it to your own builder extension method which is what I did.

public void ConfigureServices(IServiceCollection services)
{
    services.AddUmbraco(_env, _config)
        .AddBackOffice()
        .AddWebsite()
        .AddComposers()
        .Build();
        .Build();

    services.AddUnique<IDocumentRepository, CustomDocumentRepository>();
}

The result:

This could be better...

This approach only really works where it makes sense to scope non-unique names based on the parent node - though that doesn't have to be based on type, it could be a property value etc. In my case, an "events" node only has child events and a "news" node only child news articles, so this is fine.

Ideally, I'd want to take more things into account such as the type or even content of the node that I am saving, but this method doesn't know anything about the content other than the name. I could override other methods but that would result in a lot of code duplication (just look at all those private methods). Perhaps there's scope for adding a notification here to allow control over how and when unique names are applied, or at least overloading the method to take the content itself into account. If I get round to making a PR for that I'll update this post.

Forem: Jason Elkin

Mitigating CVE-2025-67288 in Umbraco (if you feel you need to)

A bit about CVE-2025-67288

Remote Code Execution?

Is is really XSS?

It's JavaScript, but not as we know it

Enter the IFileStreamSecurityAnalyzer

The Bot That Shouldn’t Have Taken Down My Umbraco Site, and the WAF Rule That Fixed It

So, what was going on?

1. Umbraco Forms

2. Surface controllers

2.1 reCAPTCHA

We're serving all these requests!

Considerations

The Solution

Here’s what that looks like in the portal:

The Result

Yet another CORS in Umbraco post

What am I trying to do?

The Problem

The Catch

The Solution

When does != true != !true?

WHY!?!

Jason's Evil Liar Struct

Yeah, but this never happens in the real world

1. Code that looks like it's doing something different, is doing something different

2. In C# we can choose how operators work

3. You can write operators to compare pretty much anything!

Thanks for nerding out with me...

Why I built an Umbraco package that does "nothing"

How I used to do it

The backoffice already knows the difference

Make those values nullable!

Do it yourself

There's a package for that

Toggles (True/False)

Getting started

Feedback please 🙏

Enabling non-unique node names in Umbraco 9

If you're wondering why...

Here's how

This could be better...

Make those values `nullable`!