Why do we need to use AllowUnsafeUpdates?

If you want to update content database (Update Site, Web, List, Library etc..), as a result of GET request, then you will have to set AllowUnsafeUpdate property to true. Microsoft has kept this property to protect site from cross site scripting attack.


Some Points:
FormDigest is a hidden control in page which checks POST request (modification to content DB) and it throws error if the request is invalid (e.g. A GET request doing modification to content DB is an invalid request). To bypass this validation, we need to set AllowUnsafeUpdate property to true.
• If you are updating content database using POST request, then just use SPUtility.ValidateFormDigest() in your code. It will validate the request and after that AllowUnsafeUpdate value will be set true by default. So if you are using POST request, you don’t need to use AllowUnsafeUpdate property.
• If application is running in an HTTPContext (webpart, application pages, etc, ... ) and request type is GET, you will not be able to modify the content DB. By default AllowUnsafeUpdate property value is false for GET request. To update content DB in GET request, you have to set AllowUnsafeUpdate property value to true.
• If you are using console application, where HTTPContext object is not available (as it is not a web request), you do not need to set AllowUnsafeUpdate property to update content DB. Its value is always set to true.

We value your feedback:

Page URL:

Name:

 

Email:

 
 

Feedback:

 

© 2019 Code SharePoint