SPSite.AllowUnsafeUpdates Property (Microsoft.SharePoint)

AllowUnsafeUpdates Property

Community Content

In this section

Statistics Annotations (3)

Click here to expand

Collapse All

Language Filter

This page is specific to

The 2007 product release

Other versions are also available for the following:

The 2010 product release

SPSite.AllowUnsafeUpdates Property (Microsoft.SharePoint)

Gets or sets a Boolean value that specifies whether to allow updates to the database as a result of a GET request or without requiring a security validation.

Namespace: Microsoft.SharePoint
Assembly: Microsoft.SharePoint (in microsoft.sharepoint.dll)

Syntax

Visual Basic (Declaration)

Public Property AllowUnsafeUpdates As Boolean

Visual Basic (Usage)

Dim instance As SPSite
Dim value As Boolean

value = instance.AllowUnsafeUpdates

instance.AllowUnsafeUpdates = value

public bool AllowUnsafeUpdates { get; set; }

Property Value

true if unsafe updates are allowed; otherwise, false.

Remarks

Setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities.

Reference

SPSite Class
SPSite Members
Microsoft.SharePoint Namespace

Tags

: Add a tag

Community Content

Add new content

Annotations

May need to use SPSite.Update method.

Chicago Jay ... cdomino | Edit | Show History

There are reports from the community that in order for the AllowUnsafeUpdates to work, that the Update method of the SPSite object needs to be called as well:

SPSite.AllowUnsafeUpdates = True

SPSite.Update

Also, you may want to try using a POST, rather than a GET in order to avoid having to set this property.

//DOMINO - 7.29.8
...except that there's no SPSite.Update() method! Update is the ubiquitious method to call to update the SharePoint database for the instanced object. I wonder why there's an AllowUnsafeUpdates property when there's no Update method, unless Update is called behind-the-scenes when the object is disposed or something.
http://blogs.catalystss.com/blogs/christopher_v_domino/default.aspx
//END DOMINO

Tags

: Add a tag

Flag as ContentBug

AllowUnsafeUpdates does not work

Robert Wu ... rlasker3 | Edit | Show History

If after changing the value of AllowUnsafeUpdates to true, you still get the same error message ("Updates are currently disallowed on GET requested. To Allow updates on a GET, set the 'AllowUnsafeUpdates' property on SPWeb.") then you may not be setting the property on the correct SPWeb or SPSite object. This is described well in the excellent post "What you need to know about AllowUnsafeUpdates"

http://hristopavlov.wordpress.com/2008/05/16/what-you-need-to-know-about-allowunsafeupdates/

Tags

: allowunsafeupdates (x) Add a tag

Flag as ContentBug

Proper Pattern for AllowUnsafeUpdates

rlasker3 | Edit | Show History

So far, in my research I have seen that it is unwise to set AllowUnsafeUpdates on GET request operation. But, if this is required, what is the proper way to handle the situation to mitigate any exposure?

//Best Practice?

// NOTE: should the base OnLoad be called before or after this?

protected override void OnLoad(System.EventArgs e)
{

if(Request.HttpMethod == "POST")

{

SPUtility.ValidateFormDigest(); //will automatically set AllowSafeUpdates to true

}

// If not a POST then AllowUnsafeUpdates should be used only at the point of update and reset immediately after finished

//NOTE: Is this true? How is cross-site scripting used on GET and what mitigates the vulnerability?

}

//point of item update

SPSecurity.RunWithElevatedPrivledges(delegate()

{

using(SPSite site = new SPSite(SPContext.Current.Site.Url))

{

using (SPWeb web = site.RootWeb)
{
bool allowUpdates = web.AllowUnsafeUpdates;
web.AllowUnsafeUpdates = true;
... Do something and call Update() ...

web.AllowUnsafeUpdates = allowUpdates;
}

}

});

Feedback on the best pattern is appreciated.

Tags

: Add a tag

Flag as ContentBug