So you’ve installed a vanilla install of Sitecore 7.2 and you are about to give it a test run to make sure that basic features like content creation and publishing works. But you stumble across a weird issue when you try to publish an item and no popup is displayed! In fact, if you try any function where the new modal dialog Sitecore popup is used, you will notice that none of this actually works now…
In Sitecore 7.2, XAML is still widely used throughout the admin pages and in some cases, the new JQuery modal dialog is used, for instance the publish item popup. An example of this popup is shown below:
You will notice that the XAML windows are not affected by this issue, but only the new JQuery ones are. This is not easily identifiable at first but I will explain how you will find out what causes this.
If you are in Chrome (And no, this is not related to the Chrome Modal Dialog issue) you will want to press F12 to bring up the developer toolbar. You will notice the following error messages as shown below:
In IIS and under ISAPI Filters for your website, you will probably have URLScan 3.1 installed on your server for penetration test fixes. This is a module that you install in IIS to lock down certain HTTP requests.
You can remove this from your list of ISAPI Filters and your popups will function again with no problem and this is a solution from some Googling.
But you may not be in the position to do this because it may fail your penetration tests. So what can we do instead?
The problem is that the default installation has the following configuration set to false:
This basically says that URL paths cannot have more than 1 dot in its URL and if it does, then it will return a 404 for that file. The problem we have with websites nowadays (including Sitecore) is that JQuery files for instance have dots everywhere! (well, not everywhere) so these always return a 404, thus stopping most of your JQuery features from functioning.
So to get around not removing URLScan from your website, you can set this property to 1 and reset IIS and you’re good to go!
Please note that you will need to work with your penetration company to make sure that by removing this you mitigate other areas.