How to: Mark Controls as Safe Controls

 

For security, SharePoint differentiates between Web controls that are protected against script injection and Web controls that are not. Protected controls, or safe controls, can be accessed by untrusted users. You can mark controls as safe in the Safe Control Entries property of a SharePoint project item or in the Package Designer when you add an assembly to the package. For more information, see

web.config file Settings Change and Registering a Web Part Assembly as a Safe Control.

System_CAPS_ICON_important.jpg Important


These procedures are for illustrative purposes. Mark controls safe only if you are certain that they are secure.

To mark controls as safe or unsafe in the Safe Control Entries property

  1. Create a SharePoint solution with a Visual Web Part project.

  2. Add two controls to the Web part: a text box and a button. Leave the names at their default values, TextBox1 and Button1, respectively.

  3. Add two entries to the Web part's Safe Control Entries property. To do this, choose the ellipsis (ASP.NET Mobile Designer ellipse) button next to the Safe Control Entries property in the Properties window.

    The Safe Control Entries dialog box appears.

  4. In the Safe Control Entries dialog box, choose the Add button twice to add two safe control entries to the Members pane: one for the button and one for the text box.

  5. Choose the first safe control entry, and then change the value of its Safe property to False, its Type Name property to Button1, and its Safe Against Script property to False.

    This step identifies the button control as an unsafe control.

  6. Choose the second safe control entry in the list. Leave the value of its Safe property as True and set its Type Name property to TextBox1 and its Safe Against Script property to True.

    The text box control is now marked as a control that is safe against script injection.

  7. Choose the OK button to close the dialog box.

To mark controls as safe or unsafe in the Package Designer

  1. Create a SharePoint solution with a Visual Web Part project.

  2. Add two controls to the Web part: a text box and a button. Leave the names at their default values, TextBox1 and Button1, respectively.

    Take note of the namespace of the control because it is used later.

  3. On the menu bar, choose Build, Build Solution to build the project.

  4. Create another SharePoint solution.

  5. In Solution Explorer, open the shortcut menu for the Package.Package file, and then choose Open to open the Package Designer.

  6. In the Package Designer, choose the Advanced tab.

  7. Under Additional Assemblies, choose the Add button, and then choose Add Existing Assembly from the list.

  8. In the Add Existing Assembly dialog box, choose the ellipsis (ASP.NET Mobile Designer ellipse) button next to Source Path.

  9. Choose the assembly from the SharePoint solution that you created in Step 1, and then choose the Open button.

  10. For this example, leave the Deployment Target option as GlobalAssemblyCache.

    This step causes the assembly to deploy to the system Global Assembly Cache (GAC). If you want the assembly to deploy to the Web application (Bin) folder, select that option instead. For more information, see Deploying Web Parts in SharePoint Foundation.

  11. In the Safe Controls box, choose the Click here to add a new item button.

  12. Enter the values for the properties from the following table.

    Property NameValue
    NamespaceThe fully-qualified namespace for the control, such as BdcModelProject1.VisualWebPart1.
    Type NameButton1
    Assembly NameA strong assembly name, such as: Microsoft.Office.SharePoint.ClientExtensions, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c.
    SafeClear the Safe check box.
    Safe Against ScriptLeave the Safe Against Script check box clear.
    System_CAPS_ICON_note.jpg Note


    The Assembly Name value for assemblies added through the Advanced tab of the Package Designer cannot be a token, it must be a strongly-named assembly. For more information, see Creating and Using Strong-Named Assemblies.

  13. Choose the Tab key to create another safe control entry.

  14. Choose the Click here to add a new item button again.

  15. Enter the values for the properties from the following table.

    Property NameValue
    NamespaceThe fully-qualified namespace for the control, such as BdcModelProject1.VisualWebPart1.
    Type NameTextBox1
    Assembly NameA strong assembly name, such as: Microsoft.Office.SharePoint.ClientExtensions, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c.
    SafeSelect the Safe check box.
    Safe Against ScriptSelect the Safe Against Script check box.
  16. Choose the Tab key, and then choose the OK button to close the dialog box.

Providing Packaging and Deployment Information in Project Items
Packaging and Deploying SharePoint Solutions

Show: