SPC020203: Avoid setting 'AllowUnsafeUpdates' on SPSite

The assembly should not call Microsoft.SharePoint.SPSite.AllowUnsafeUpdates to run make changes to SPSite with a lower security context. Setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities.

TypeName: AvoidCallToAllowUnsafeUpdatesOnSPSite
CheckId: SPC020203
Severity: CriticalWarning
Type: AssemblyFileReference

Remove calls to 'Microsoft.SharePoint.SPSite.AllowUnsafeUpdates' to avoid changes with a lower security context. If you need to use it ensure to change the value back to its original state after your operations. See sample below:

Good Practice:

public void FunctionWithUnsafeOperation(SPSite site)
  bool allowUpdates = web.AllowUnsafeUpdates; //save original value
    site.AllowUnsafeUpdates = true;
    // operate on site
    site.AllowUnsafeUpdates = allowUpdates;


comments powered by Disqus