I had a recent support ticket that a few customers complained that they couldn't submit a Web Forms For Marketers (WFFM ) form with an & in it. Originally, the data entered into a WFFM form wasn't encoded and the "<", ">" and "&" characters have been disabled by default to prevent code injection.


When you submit a form you will usually see this error message 'The {0} fields contains content that may present a security risk. Please enter appropriate information' In my opinion, this really isn't the best user experience. If someone is trying to use your contact form but doesn't know exactly what they've done wrong, the chances they could turn tail and leave your website to never come back, increases and consequently you could lose business. In today's tutorial, I'm going to cover some of the techniques you can use within Sitecore to overcome this problem.

Making The Error Message More User Friendly

This approach is probably the easiest to implement. Sitecore has added these implementations for a reason, security. Some people might want to stick with that approach, so creating a more descriptive error is a good starting place. There are two ways to override the default message, one on a per form basis and the other on a global basis.

Per Form Basis

If you want to update the message of a single form, open the content editor in master and navigate to the form in question. This is usually somewhere around:

'Sitecore' -> 'System' -> 'Modules' -> 'Web Forms for Marketers' -> 'Websites'

If you select the form you want to edit, wait for it to load and then in the top ribbon select the 'Form Verification' option.


You should see the above dialog, select the 'Access Security Risk' option, and then click the 'Error Messages tab' In here you can add in the text you want to display:


Global Basis

In your Sitecore desktop switch to the 'core' database (How To Switch Between The Core and Master Database in Sitecore).

Open the content editor and navigate to 'System' -> 'Dictionary' -> 'T'. In here you will find two entries: 'TWFM The 0 field contains content that may present a security risk Please enter appropriate info' and 'TWFM The 0 fields contains content that may present a security risk Please enter appropriate inf'.

If you open each of these and add the error message you want to display instead of the default phrase, within the 'Phrase' field and save the item. When you refresh Sitecore you should see your new error message displayed:


All the values stored in the Core dictionary and cached. If you open up your webroot and look in the 'temp' folder, you should see a file called 'dictionary.dat'. When you update any dictionary value, it is recommended that you delete this file and do an IIS reset (assuming you are working in development). This will force the dictionary values to update.

Disabling Validation Altogether

Now, I wouldn't recommend this approach but it is possible to completely disable the validation for a particular form. In the 'master' database, go to your selected form, usually somewhere around:

'Sitecore' -> 'System' -> 'Modules' -> 'Web Forms for Marketers' -> 'Websites'

If you select the form and wait for it to load. In the Ribbon, select the View tab and enable the 'Raw Value' option.


Now in the form, find the 'Check Actions' field. In here you should see a bunch of XML, that looks similar to the below:

Remove the

  • node with ID {2D5B5061-747A-4477-BD41-E746EAFEB231} from the "Check actions" field. This will delete the validation. WARNING, doing this you may open up your site to code injection depending on your set-up, so be warned and test your code.


In today's post, we've covered the 'Assess Security Risk' option of WFFM. When dealing with forms with WFFM we have several options. The first option is to improve the user experience and make Sitecore produce a better validation message. This can be done either on a per form basis, or, globally.