sharepointsharepoint-2010sharepoint-listsplistitem

Does allowunsafeupdates property need to be set while a list item is fetched in sharepoint?


I am new to sharepoint 2010 project. When I went through the code, in many places i found SPWeb.AllowUnsafeUpdates property set to true, even when there are no updates in any elements of the lists. There is some list data fetching. Is this relevant while there is no updation in any of the lists to use AllowUnsafeUpdates to be set to true?

SPWeb thisWeb = workflowProperties.Web;
                        thisWeb.AllowUnsafeUpdates = true;
                        SPList EmployeeDetails = thisWeb.Lists[BasicEmployeeDetailsList];
                        SPList list = workflowProperties.Web.Lists[workflowProperties.List.ID];
                        SPListItem compensatoryLeaveItem = workflowProperties.Item;
                        DataTable creatermail = new DataTable();
                        editurl = workflowProperties.SiteUrl.ToString() + list.DefaultEditFormUrl + "?ID=" + compensatoryLeaveItem["ID"].ToString() + "&Popup=false";
                        string EmployeeDetailsID = compensatoryLeaveItem["Created By"].ToString().Substring(compensatoryLeaveItem["Created By"].ToString().IndexOf('#') + 1);
                        string listQuery = "<Where><Eq><FieldRef Name='LoginName' /><Value Type='User'>" + EmployeeDetailsID + "</Value></Eq></Where>";
                        SPQuery query = new SPQuery();
                        query.Query = listQuery;
                        SPListItemCollection createrCol = EmployeeDetails.GetItems(query);
                        creatermail = createrCol.GetDataTable();
                        createdbymail = creatermail.Rows[0][FieldMail].ToString();
                        creater = creatermail.Rows[0][FieldFullName].ToString();
                        GetHrDetails(thisWeb);
                        thisWeb.AllowUnsafeUpdates = false;

Solution

  • If there are truly no updates taking place then, to my knowledge, there is no need to be setting SPWeb.AllowUnsafeUpdates = true. To understand what this property is doing we can quote the MSDN documentation:

    Gets or sets a Boolean value that specifies whether to allow updates to the database as a result of a GET request or without requiring a security validation.

    And further on:

    Setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities.

    So this is designed to protect your SharePoint sites. You should try NOT to update your SharePoint sites as a result of a GET request or where there has been no security validation. You might find this more detailed explanation useful on Hristo Pavlov's blog. I did when I was trying to understand it.

    The code you post appears not to be performing an update and only reading data so no, I do not think it is relevant.