Share via

How to: Mark Controls as Safe Controls

  • Article

For security, SharePoint differentiates between Web controls that are protected against script injection and Web controls that are not. Protected controls, or safe controls, can be accessed by untrusted users. You can mark controls as safe in the Safe Control Entries property of a SharePoint project item or in the Package Designer when you add an assembly to the package. For more information, see

web.config file Settings Change and Registering a Web Part Assembly as a Safe Control.

Important

These procedures are for illustrative purposes. Mark controls safe only if you are certain that they are secure.

Marking Safe Controls in the Safe Control Entries Property

To mark controls as safe or unsafe in the Safe Control Entries property

  1. Create a SharePoint solution with a Visual Web Part project.

  2. Add two controls to the Web part: a text box and a button. Leave the names at their default values, TextBox1 and Button1, respectively.

  3. Add two entries to the Web part's Safe Control Entries property. To do this, click the ellipsis (ASP.NET Mobile Designer ellipse) button next to Safe Control Entries in the Properties window.

    The Safe Control Entries dialog box appears.

  4. In the Safe Control Entries dialog box, click Add twice to add two safe control entries to the Members pane: one for the button and one for the text box.

  5. Click the first safe control entry and change its Safe property to False, its Type Name property to Button1, and its Safe Against Script property to False.

    This step identifies the button control as an unsafe control.

  6. Click the second safe control entry in the list. Leave its Safe property as True and set its Type Name property to TextBox1 and its Safe Against Script property to True.

    The text box control is now marked as a control that is safe against script injection.

  7. Click OK to close the dialog box.

Marking Safe Controls in the Package Designer

To mark controls as safe or unsafe in the Package Designer

  1. Create a SharePoint solution with a Visual Web Part project.

  2. Add two controls to the Web part: a text box and a button. Leave the names at their default values, TextBox1 and Button1, respectively.

    Take note of the namespace of the control because it is used later.

  3. Click Build Solution on the Build menu to build the project.

  4. Create another SharePoint solution.

  5. Double-click the Package.Package file in Solution Explorer to open the Package Designer.

  6. In the Package Designer, click the Advanced tab.

  7. Under Additional Assemblies, click the Add button and select Add Existing Assembly from the list.

    The Add Existing Assembly dialog box appears.

  8. In the Add Existing Assembly dialog box, click the ellipsis (ASP.NET Mobile Designer ellipse) button next to Source Path.

  9. For this example, leave the Deployment Target option as GlobalAssemblyCache.

    This step causes the assembly to deploy to the system Global Assembly Cache (GAC). If you want the assembly to deploy to the Web application (Bin) folder, select that option instead. For more information, see Deploying Web Parts in SharePoint Foundation.

  10. In the Safe Controls box, click the Click here to add a new item button.

  11. Enter the values for the properties from the following table.

    Property Name

    Value

    Namespace

    The fully-qualified namespace for the control, such as BdcModelProject1.VisualWebPart1.

    Type Name

    Button1

    Assembly Name

    A strong assembly name, such as: Microsoft.Office.SharePoint.ClientExtensions, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c.

    Safe

    Clear the Safe check box.

    Safe Against Script

    Leave the Safe Against Script check box clear.

    Note

    The Assembly Name value for assemblies added through the Advanced tab of the Package Designer cannot be a token, it must be a strongly-named assembly. For more information, see Creating and Using Strong-Named Assemblies.

  12. Press TAB to create another safe control entry.

  13. Click the Click here to add a new item button again.

  14. Enter the values for the properties from the following table.

    Property Name

    Value

    Namespace

    The fully-qualified namespace for the control, such as BdcModelProject1.VisualWebPart1.

    Type Name

    TextBox1

    Assembly Name

    A strong assembly name, such as: Microsoft.Office.SharePoint.ClientExtensions, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c.

    Safe

    Select the Safe check box.

    Safe Against Script

    Select the Safe Against Script check box.

  15. Click OK to close the dialog box.

See Also

Concepts

Providing Packaging and Deployment Information in Project Items

Other Resources

Packaging and Deploying SharePoint Solutions