SPC020202: Avoid setting 'AllowUnsafeUpdates' on SPWeb

The assembly should not call Microsoft.SharePoint.SPWeb.AllowUnsafeUpdates to run make changes to SPWeb with a lower security context. Setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities.

TypeName: AvoidCallToAllowUnsafeUpdatesOnSPWeb
CheckId: SPC020202
Severity: CriticalWarning
Type: AssemblyFileReference

Remove calls to 'Microsoft.SharePoint.SPWeb.AllowUnsafeUpdates' to avoid changes with a lower security context. If you need to use it ensure to change the value back to its original state after your operations. See sample below:

Good Practice:

public void FunctionWithUnsafeOperation(SPWeb web)
    web.AllowUnsafeUpdates = true;
    // operate on web
    web.AllowUnsafeUpdates = false;


comments powered by Disqus