To help secure SharePoint and the users who use SharePoint from malicious code, some changes
were made in 2010 to prevent Cross - Site Scripting (XSS) attacks. Some of this will affect the way
your applications may work. Part of these changes had to be made because of the new Client Object
Model in SharePoint, where malicious users could possibly cut and paste code into properties in
SharePoint and attempt to perform bad operations.
One example of a change relates to web parts. By default, contributors now are not allowed to
view/edit custom web part properties. As a developer, you can override this default behavior either
through an object model attribute — RequiresDesignerPermissionAttribute — or through
a SafeControl attribute — SafeAgainstScript . The object model attribute wins over the
SafeControl attribute, so if you set the OM attribute to false, then contributors would not be able
to view/edit custom web part properties even if SafeAgainstScript were set to true. Note that
this is true only for general web parts. If the user has personalized the web part either by making
personal settings or by adding it as a personal web part, then these changes won ’ t be implemented
for those web parts. You will have to implement custom code to allow this customization.
Another change relates to how fi les are handled. SharePoint 2010 does not allow HTML fi les to be
rendered in document libraries. Therefore, if your application has been posting HTML fi les to
document libraries and your end users have been viewing them in the browser, this won ’ t work in
2010. Instead, SharePoint will force the users to save the HTML fi les locally before viewing them.
This is implemented using HTTP headers and is confi gurable at the List or Web Application level, or
you can change the Safe List by Mime Type to allow this operation.
Another change is that the functionality that enabled contributors to upload ASPX fi les in 2007 is
blocked in 2010. This is an important change to be aware of, because it may break the way your
2007 application works.
were made in 2010 to prevent Cross - Site Scripting (XSS) attacks. Some of this will affect the way
your applications may work. Part of these changes had to be made because of the new Client Object
Model in SharePoint, where malicious users could possibly cut and paste code into properties in
SharePoint and attempt to perform bad operations.
One example of a change relates to web parts. By default, contributors now are not allowed to
view/edit custom web part properties. As a developer, you can override this default behavior either
through an object model attribute — RequiresDesignerPermissionAttribute — or through
a SafeControl attribute — SafeAgainstScript . The object model attribute wins over the
SafeControl attribute, so if you set the OM attribute to false, then contributors would not be able
to view/edit custom web part properties even if SafeAgainstScript were set to true. Note that
this is true only for general web parts. If the user has personalized the web part either by making
personal settings or by adding it as a personal web part, then these changes won ’ t be implemented
for those web parts. You will have to implement custom code to allow this customization.
Another change relates to how fi les are handled. SharePoint 2010 does not allow HTML fi les to be
rendered in document libraries. Therefore, if your application has been posting HTML fi les to
document libraries and your end users have been viewing them in the browser, this won ’ t work in
2010. Instead, SharePoint will force the users to save the HTML fi les locally before viewing them.
This is implemented using HTTP headers and is confi gurable at the List or Web Application level, or
you can change the Safe List by Mime Type to allow this operation.
Another change is that the functionality that enabled contributors to upload ASPX fi les in 2007 is
blocked in 2010. This is an important change to be aware of, because it may break the way your
2007 application works.
No comments:
Post a Comment
Thank you for Commenting Will reply soon ......