Best Pattern for AllowUnsafeUpdates

Posted by webwires on Stack Overflow See other posts from Stack Overflow or by webwires
Published on 2008-10-17T21:14:32Z Indexed on 2010/04/13 8:03 UTC
Read the original article Hit count: 397

Filed under:

sharepoint

|

spweb

|

spsite

So far, in my research I have seen that it is unwise to set AllowUnsafeUpdates on GET request operation to avoid cross site scripting. But, if it is required to allow this, what is the proper way to handle the situation to mitigate any exposure?

Here is my best first guess on a reliable pattern if you absolutely need to allow web or site updates on a GET request.

Best Practice?

protected override void OnLoad(System.EventArgs e)
{
    if(Request.HttpMethod == "POST")
    {
    	SPUtility.ValidateFormDigest();
    	// will automatically set AllowSafeUpdates to true
    }

    // If not a POST then AllowUnsafeUpdates should be used only
    // at the point of update and reset immediately after finished

    // NOTE: Is this true? How is cross-site scripting used on GET
    // and what mitigates the vulnerability?
}

// Point of item update
SPSecurity.RunWithElevatedPrivledges(delegate()
{
    using(SPSite site = new SPSite(SPContext.Current.Site.Url))
    {
    	using (SPWeb web = site.RootWeb)
    	{
    		bool allowUpdates = web.AllowUnsafeUpdates; //store original value
    		web.AllowUnsafeUpdates = true;

    		//... Do something and call Update() ...

    		web.AllowUnsafeUpdates = allowUpdates; //restore original value

    	}
    }
});

Feedback on the best pattern is appreciated.

© Stack Overflow or respective owner

Related posts about sharepoint

SharePoint 2010 MSDN Labs

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Eric Ligman, from Microsoft, posted a great blog post this week listing all of the SharePoint 2010 Virtual Labs that are available from Microsoft. His blog entry is here: http://blogs.msdn.com/b/mssmallbiz/archive/2012/03/13/sharepoint-server-2010-msdn-virtual-labs-available-to-you-online-plus-more-sharepoint-2010-resources… >>> More
Enterprise SharePoint 2010 Hosting, SharePoint Foundation 2010 Hosting, SharePoint Standard 2010 Hos

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Enterprise SharePoint 2010 Hosting, SharePoint Foundation 2010 Hosting, SharePoint Standard 2010 Hosting, Michigan Sclera, a Microsoft Hosted Services Provider Partner, is offering key Service Offerings around the Microsoft SharePoint Server 2010 stack. Specifically – if you’re looking for SharePoint… >>> More
SharePoint Personalization Site Links - Les liens personnalis?s des MySite SharePoint

as seen on ASP-PHP.net - Search for 'ASP-PHP.net'
Nous avons vu dans les articles pr?c?dents comment agr?menter les pages de recherche afin de permettre une meilleure adoption du produit par les utilisateurs. Il existe une autre fonctionnalit? de Microsoft Office SharePoint Server 2007 (MOSS) qui permet aussi de personnaliser un peu le MySite des… >>> More
Auditer une ferme SharePoint - Assurer le bon fonctionnement de SharePoint

as seen on ASP-PHP.net - Search for 'ASP-PHP.net'
Dans le cadre de la bonne gestion de son environnement SharePoint, il est utile de faire un contr?le de son installation afin d'assurer le bon fonctionnement des fermes et donc, la meilleure disponibilit? pour les usagers. Dans ce but, nous verrons comment auditer sa ferme facilement et les traitements… >>> More
Using jQuery and SPServices to Display List Items

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
I had an interesting challenge recently that I turned to Marc Anderson’s wonderful SPServices project for. If you haven’t already seen or used SPServices, please do. It’s a jQuery library that does primarily two things. First, it wraps up all of the SharePoint web services in a nice little AJAX wrapper… >>> More

Related posts about spweb

SPWeb.Url returns wrong URL

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a web application in SharePoint that has been extended to another zone (Extranet). The access URL for the default zone is http ://server1, and the URL for the extranet zone is https: //www.server1.com. Now, when I access the site via the extranet zone, I find that SPContext.Current.Web.Url… >>> More
SPWeb.Webs, Site vs SubSite

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I have a very basic question here. I am confused between SPSite. SiteCollection and SPWeb. So my understanding is (or what I could research on this) that, http://My_server TOP Level SIte or SPWEbApplication http://My_server/My_site Site Collection or SPSite Now a site under SPSite that… >>> More
Creating a Document Library with Content Type in code

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Originally posted on: http://geekswithblogs.net/djacobus/archive/2013/10/15/154360.aspxIn the past, I have shown how to create a list content type and add the content type to a list in code. As a Developer, many of the artifacts which we create are widgets which have a List or Document Library as… >>> More
Using the Data Form Web Part (SharePoint 2010) Site Agnostically!

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Originally posted on: http://geekswithblogs.net/djacobus/archive/2013/10/24/154465.aspxAs a Developer whom has worked closely with web designers (Power users) in a SharePoint environment, I have come across the issue of making the Data Form Web Part reusable across the site collection! In SharePoint… >>> More
Is there built-in method to tell if specific URL belongs to this SPWeb or other SPWeb?

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello. I have a list of urls (content type usage url's). Now, content types are deployed across web's. I need to loop those content types and do some actions in each list, but opening new SPWeb instance every loop is too resource intensive. Is there built-in method to tell me if this URL belongs… >>> More