SPSite.AllowUnsafeUpdates Property (Microsoft.SharePoint)
Gets or sets a Boolean value that specifies whether to allow updates to the database as a result of a GET request or without requiring a security validation.

Namespace: Microsoft.SharePoint
Assembly: Microsoft.SharePoint (in microsoft.sharepoint.dll)
Syntax
Visual Basic (Declaration) 
Public Property AllowUnsafeUpdates As Boolean
Visual Basic (Usage) 
Dim instance As SPSite
Dim value As Boolean

value = instance.AllowUnsafeUpdates

instance.AllowUnsafeUpdates = value
C# 
public bool AllowUnsafeUpdates { get; set; }

Property Value

true if unsafe updates are allowed; otherwise, false.
Remarks

Setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities.
See Also
Tags :


Community Content

cdomino
May need to use SPSite.Update method.

There are reports from the community that in order for the AllowUnsafeUpdates to work, that the Update method of the SPSite object needs to be called as well:

SPSite.AllowUnsafeUpdates = True

SPSite.Update

Also, you may want to try using a POST, rather than a GET in order to avoid having to set this property.

//DOMINO - 7.29.8
...except that there's no SPSite.Update() method! Update is the ubiquitious method to call to update the SharePoint database for the instanced object. I wonder why there's an AllowUnsafeUpdates property when there's no Update method, unless Update is called behind-the-scenes when the object is disposed or something.
http://blogs.catalystss.com/blogs/christopher_v_domino/default.aspx
//END DOMINO

Tags :

rlasker3
AllowUnsafeUpdates does not work

If after changing the value of AllowUnsafeUpdates to true, you still get the same error message ("Updates are currently disallowed on GET requested. To Allow updates on a GET, set the 'AllowUnsafeUpdates' property on SPWeb.") then you may not be setting the property on the correct SPWeb or SPSite object. This is described well in the excellent post "What you need to know about AllowUnsafeUpdates"

http://hristopavlov.wordpress.com/2008/05/16/what-you-need-to-know-about-allowunsafeupdates/


rlasker3
Proper Pattern for AllowUnsafeUpdates

So far, in my research I have seen that it is unwise to set AllowUnsafeUpdates on GET request operation. But, if this is required, what is the proper way to handle the situation to mitigate any exposure?

//Best Practice?

// NOTE: should the base OnLoad be called before or after this?

protected override void OnLoad(System.EventArgs e)
{

if(Request.HttpMethod == "POST")

{

SPUtility.ValidateFormDigest(); //will automatically set AllowSafeUpdates to true

}

// If not a POST then AllowUnsafeUpdates should be used only at the point of update and reset immediately after finished

//NOTE: Is this true? How is cross-site scripting used on GET and what mitigates the vulnerability?

}

//point of item update

SPSecurity.RunWithElevatedPrivledges(delegate()

{

using(SPSite site = new SPSite(SPContext.Current.Site.Url))

{

using (SPWeb web = site.RootWeb)
{
bool allowUpdates = web.AllowUnsafeUpdates;
web.AllowUnsafeUpdates = true;
... Do something and call Update() ...

web.AllowUnsafeUpdates = allowUpdates;
}

}

});

Feedback on the best pattern is appreciated.

Tags :

Page view tracker