Inline Code

Specifies server-side code that is directly embedded into a Web page.

Real World Example

A Web page designer familiar with ASP programming wants to be able to quickly modify the business logic code that various Web pages use within a SharePoint site. Inline code is enabled to allow flexible development by the Web designer so that she can upload and run custom Web pages.

Technical Details

Inline code is disabled by default on any customized or uploaded Web page in a SharePoint site. It can be enabled on a per directory path basis, with children potentially inheriting the settings. This exclusion can be enabled through the specific Web site path that is included in the PageParserPaths collection in the web.config file. After the PageParserPath inline code exclusion is set, any page within that directory has the capability to execute any code that is embedded directly in the HTML content of the page if the script tag is set to run at the server.

The following is an example of a PageParserPath inline code exclusion that applies to all files and children.

<SharePoint>
   <SafeMode MaxControls = "200" CallStack = "false" DirectFileDependencies ="10" TotalFileDependencies = "50" AllowPageLevelTrace = "false">
      <PageParserPaths>
         <PageParserPath VirtualPath="/_mpg/*" CompilationMode="Always" 
         AllowServerSideScript="true" IncludeSubFolders="true"/>
      </PageParserPaths>
   </SafeMode>
</SharePoint>

Inline code is enabled on any Web page installed on the file system of the server, such as within a site definition or in the _layouts directory. One problem with using inline code in a site definition is that the code will work inline as long as the page instance in a site is not customized to the file system. However, as soon as it is customized, the inline code will fail.

Support Details

Because inline code can run with full trust on the server, it is possible for a developer to expose data from anywhere in the SharePoint environment by making a call to elevate the privileges of the code during run time. As a best practice, any inline code should therefore be reviewed for security implications before it is allowed to be installed and run on the server. The following support policies are recommended for inline code:

  • Inline code in Site Definition based ASPX pages: Inline code is not recommended within a site definition due to the issues involved with the code no longer rendering as soon as the page is customized.

  • Inline code in _layouts-based ASPX pages: Inline code is supportable if included on a page in the _layouts directory.

  • Inline code enabled through PageParserPath exclusion: Inline code should not be allowed through the PageParserPath exclusion, except in extremely rare circumstances, because it can be modified without going through any review process. As a result, it represents a danger to the environment’s performance and security.