12/23/2009

SharePoint: The security validation for this page is invalid

 

Note: The following applies to both SharePoint 2007 and 2010.


When creating an ASPX page in the LAYOUTS folder that updates SharePoint content via the API (mylistitem.upate) you may get the following message when posting back to the page:

 

2007:
image

2010:
image

Many articles on the web suggest using AllowUnsafeUpdates:

SPWeb web = SPContext.Current.Web;
web.AllowUnsafeUpdates = true;


While this works, it does open the page up to cross-site scripting vulnerabilities. (See here: MSDN)

A better practice is to add a FormDigest control to your page. (See details here: MSDN)  If you are not using a master page or a complete “SharePoint page” then you will also need to add a Register line to reference Microsoft.SharePoint.WebControls.

The reference:

<%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>

The control:

  <SharePoint:FormDigest runat=server/>

A sample page:

 

<%@ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="_default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>


<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<SharePoint:FormDigest runat=server/>
<div>
<asp:TextBox ID="txtSomeText" runat="server" />
<asp:Button ID="btnReplace" runat="server" Text="Replace" OnClick="btnDoSomeWork_Click" />
</div>
</form>
</body>
</html>






.

4 comments:

Ashwin Raj said...

I am encountering this error message when trying to update the property of a list item from a console application that employs SharePoint API to make changes. However, if I run the application a second time, it seems to eventually become successful in making the update. I am not sure how to apply the suggestion in your article to my [console] application.

Mike Smith said...

Ashwin Raj,

Interesting... I would not think you would get a "page is invalid" error from a console application. Nothing in this article would help you as you can't add this control to console app.

Does the list have an event receiver or workflow?

sini said...

Hi Mike,

I get the same error when associating a workflow to a list.

Tried allow unsafe updates , but still throws this error.. any suggestions pls.

Regards,
Sini

Mike Smith said...

Sini,

What is the workflow doing that would impact security?

SharePoint Designer or Visual Studio workflow?

2007 or 2010?

You might need to run part of your code with elevated permissions.

Consider posting your question here: http://social.msdn.microsoft.com/Forums/en-US/sharepoint2010programming/threads

or for 2007:
http://social.msdn.microsoft.com/Forums/en-US/sharepointdevelopment/threads

Mike

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.