Trending issue: after installing September 2020 CU and PU custom pages and controls fail to render

September 2020 included a several important security fixes for all supported versions of Sharepoint (2010, 2013, 2016 and 2019).
Some of these security fixes have tightend the security requirements for 1st party and 3rd party solutions integrated with SharePoint.

Affected Microsoft Products which integrate with SharePoint and which are affected by this change include Microsoft Identity Manager (MIM) portal pages and Dynamix AX.

Here is a quick summary of the requirements which are enforced now:

  • code behind classes and web parts need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • custom user controls (ascx pages) need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • custom server controls need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • inline code blocks in pages are blocked. Pages which require that have to be whitelisted explicitly using <PageParserPath…> entries in the web.config
  • declarative statements in pages and master pages which invoke server side code (e.g. autoeventwireup, enablesessionstate, serverside event receivers for page actions, …) are blocked. Pages which require that have to whitelisted explicitly using <PageParserPath…> entries in the web.config

 

Symptoms

One or more of the following error message can occur for an affected page:

  • The attribute ‘autoeventwireup’ is not allowed in this page.
  • The attribute ‘enablesessionstate’ is not allowed in this page.
  • Code blocks are not allowed in this file.
  • The event handler ‘…’ is not allowed in this page. (… is a place holder and can mean any event type like OnClick, OnSelectedIndexChanged, …)
  • UnsafeControlException: A Web Part or Web Form Control on this Page cannot be displayed or imported. The type could not be found or it is not registered as safe.
  • The referenced file ‘/_layouts/somedirectory/affectedusercontrol.ascx’ is not allowed on this page.

 

Solution

Important: you should only whitelist affected pages and controls if these pages and controls are ghosted and remain ghosted. Ghosted means that they are deployed to the file system through custom solutions and are not modified afterwards using tools like SharePoint designer. Unghosted pages live in the SharePoint database while ghosted pages live on the file system. Modifications done through unghosting are not under the control of a SharePoint administrator and they should therefor be treated as unsafe and should not be unblocked.

 

Examples for web.config entries which can help to whitelist pages:

For blocked code behind files and server controls you need to whitelist the relevant classes using SafeControl elements similar to the following:

<SafeControl
   Assembly="CustomSolution.AssemblyName, Version=1.2.3.4,Culture=neutral, PublicKeyToken=11aa22bb33cc44dd"
   Namespace="CustomSolution.AssemblyName.NameSpace"
   TypeName="AffectedClass"
   AllowRemoteDesigner="True" Safe="True" SafeAgainstScript="True" />

Assembly, Namespace and TypeName in the above example has to be adjusted to reflect the information for the affected class.

If all controls and classes in a given assembly and namespace are safe you can use “*” as wildcard for the TypeName to whitelist all controls and classes at once. Please review your code carefully before applying this step to ensure that you are only whitelisting classes which are intended to be used in the affected pages.

 

To whitelist a directory hosting the affected user controls (.ascx) use a SafeControl element with the following syntax:

<SafeControls>
    <SafeControl Src="~/_layouts/somedirectory/*" IncludeSubFolders="True" Safe="True" AllowRemoteDesigner="True" SafeAgainstScript="True" />
</SafeControls>

or

<SafeControls>
    <SafeControl Src="~/_layouts/somedirectory/*" IncludeSubFolders="True" Safe="True" />
</SafeControls>

To whitelist pages or master pages which have inline code or include declarative statements which invoke server side code you need to whitelist them using a PageParserPath element similar to the following:

<SafeMode MaxControls="200" CallStack="false" DirectFileDependencies="15" TotalFileDependencies="250" AllowPageLevelTrace="false">
    <PageParserPaths>
        <PageParserPath VirtualPath="/<relativepath>/page.aspx" CompilationMode="Always" AllowUnsafeControls="true" AllowServerSideScript="true" />
    </PageParserPaths>
</SafeMode>

Important: do not add IncludeSubFolders=”True” in this line when specifying a specific page as above!

VirtualPath is the server relative path starting at the root of your web application. In case you are using the same user control in multiple sites or collections you need to add a separate entry for each occurance.

To whitelist all controls in a given directory you can use the following syntax:

<SafeMode MaxControls="200" CallStack="false" DirectFileDependencies="15" TotalFileDependencies="250" AllowPageLevelTrace="false">
    <PageParserPaths>
        <PageParserPath VirtualPath="/<relativepath>/*" CompilationMode="Always" AllowUnsafeControls="true" AllowServerSideScript="true" IncludeSubFolders="True"/>
    </PageParserPaths>
</SafeMode>

 

DirectFileDependencies indicates the number of allowed direct file dependencies. If you receive an error message such as “The number of allowed direct file dependencies exceeds the limit,” you can increase this value.

 

To simplify adding the PageParserPath elements to the web.config you can use the following powershell script created by Joe Rodgers which ensures that the entry is set on all servers in your farm:

https://gist.github.com/joerodgers/91e8d70ae477ab84fe41c9395ffdcd82

 

More information

See the following KB article for more information:

  • KB 4584132 – Ghosted pages in SharePoint don’t render

38 Comments


  1. Ciao Stefan,
    thank you for your post!
    Regarding your post about some fixes that will cause problems on SharePoint… I don’t understand the connection between the MIM and the problem pointed out by you… MIM portal pages…what means?

    I have a MIM solution installed on another server for synchronize user profile value from SAP to SharePoint
    but we dont have WebPart or custom page.
    I would like some more clarification about your post 🙂

    Thank you very much!

    Reply

    1. sorry for the smile!! I don’t know how it came out! sorry

      Reply

      1. No worries – it was a problem in the CSS styles of my blog.
        I have fixed it now.

        Reply

        1. Ciao Stefan,
          thank you for your post!

          Regarding your post about some fixes that will cause problems on SharePoint… I don’t understand the connection between the MIM and the problem pointed out by you… MIM portal pages…what means?

          I have a MIM solution installed on another server for synchronize user profile value from SAP to SharePoint(witth a custom .DLL )
          but we dont have WebPart or custom page.
          I would like some more clarification about your post for understand if our SharePoint 2013 farm will be affected.

          Thank you!

          Reply

  2. PowerPivot is concerned in SP 2013 when accessing to admin pages in Central Administration.

    Reply

    1. Hi Loic,
      I don’t have a system in this configuration.
      Would be great if you could share here the affected controls/pages and how you solved it.
      It would certainly help the community.
      Thanks,
      Stefan

      Reply

      1. Hi,
        I hope your post will help me.
        Actually, in SP 2013, in Central Administration, Application Management, Manage Services application, PowerPivot Service Application, the access to the ServiceAppDashboard.aspx generates the “attribute autoeventwireup is not allowed in this page” error.
        Let see this problem next Week.
        Thanks to your to share this kind of information.
        Loïc

        Reply

        1. Hi Loic,
          ok, for this issue a PageParserPath needs to be configured. Be aware that after this is solved also some SafeControl elements might be required to fix it. Such issues are often hidden behind the issue you see right now as the inline code check fires first before binary references are evaluated.
          Cheers,
          Stefan

          Reply

  3. Hi Stefan,

    Will October CU fix this issue? Do you recommend to wait for October CU for users who do not install September CU yet?

    -Yuseon

    Reply

    1. Hi Yuseon,
      there seems to be a misunderstanding: this is not a regression or a problem that was introduced.
      This behavior was introduced to solve a security issue through a security fix.
      I do not see that this behaviour would be changed or reverted going forward.
      Expect this to be the new normal which needs to be taken into consideration when developing custom applications for SharePoint.
      Cheers,
      Stefan

      Reply

  4. Hi Stefan,

    In our case, after applying the CU, accessing the search main page (https://oursearch/Pages/default.aspx), gives us the following error: Unknown server tag ‘SharePoint:BrowseStyleBlock’. We have checked for Register tags on master pages and so, but no luck. Any hint?

    Reply

    1. Hi Ismael,
      I haven’t seen this but this seems to be an unrelated issue as it is not a blocked page or control but an unknown tag in a page.
      My recommendation would be to open a ticket with Microsoft Support.
      Cheers,
      Stefan

      Reply

      1. Many thanks, good to know that at least is not related to blocked pages or control ones.

        Cheers,
        Ismael

        Reply

        1. The SharePoint:BrowseStyleBlock issue can occur if KB 4484515 was installed without 4484525. There is a dependency between them.

          Reply

          1. Search Center results pages were broken for us with the same error: ‘Unknown server tag ‘SharePoint:BrowseStyleBlock’.
            Installing KB 4484525 fixed the issue. Thanks so much for the solution @Ed Barnes!


  5. Added this to our 2013 environment and this resolved the conflicts we noticed.

    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards.TransformerConfigurationRecord" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards.TransformerConfigurationRecord" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.WebControls, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards.WebControls" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.WebControls, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards.WebControls" TypeName="*" />

    Note: “Microsoft.PerformancePoint.Scorecards.WebControls” already existed.

    Reply

    1. Hi Matt,
      thanks Matt!
      No PageParserPath elements were required?
      Cheers,
      Stefan

      Reply

  6. Not yet but that farm doesn’t have much as 99% is moved to 2019. So far our 2019 has no known issues based on our regular test cases but we are holding off on promoting this to Stage/Prod until more testing is performed.

    Thank you very much for posing this and everything you have been doing.

    Reply

    1. Thanks Mark! I will reference it in the article above.

      Reply

  7. Hi,

    we’ve a custom pages on sharepoint 2013 enviroment,

    after applying this securty update, we got many System.NullReferenceException
    Object reference not set to an instance of an object.

    below erro logs from some of these pages

    System.NullReferenceException: Object reference not set to an instance of an object.
    at W.SharePoint.Item.GetService(Type serviceType)
    at W.Extensions.GetService[T](IServiceProvider serviceProvider, Boolean required)
    at W.SharePoint.Solutions.ObjectModel.WorkflowTaskInstance.get_TaskConfiguration()
    at W.SharePoint.Solutions.WorkflowContext.get_TaskConfiguration()
    at W.SharePoint.Solutions.UI.Controls.TaskFormPlaceholder.OnInit(EventArgs e)
    at System.Web.UI.Control.InitRecursive(Control namingContainer)
    at System.Web.UI.Control.InitRecursive(Control namingContainer)
    at System.Web.UI.Control.AddedControl(Control control, Int32 index)
    at Microsoft.SharePoint.WebPartPages.ListFormWebPart.CreateChildControls()
    at System.Web.UI.Control.E… cb5f7e9f-0f0c-5006-2e69-55b98c7f771d

    System.NullReferenceException: Object reference not set to an instance of an object. at G.Epm.WebParts.PWAWebParts.RedirectUsers.RedirectUsersUserControl.Page_Load(Object sender, EventArgs e)

    at System.Web.UI.Control.OnLoad(EventArgs e)
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.AddedControl(Control control, Int32 index)
    at G.Epm.WebParts.PWAWebParts.RedirectUsers.RedirectUsers.CreateChildControls()
    at System.Web.UI.Control.EnsureChildControls()
    at System.Web.UI.Control.PreRenderRecursiveInternal()
    at System.Web.UI.Control.PreRenderRecursiveInternal()
    at System.Web.UI.Control.PreRenderRecursiveInternal()
    at System.Web.UI.Control.PreRenderRecursiveInternal()
    at System.Web.UI.Control.PreRenderRe

    could you please help ?

    Reply

    1. Hi Ahmad,
      the exceptions all seem to originate in 3rd party controls as the relevant namespaces are not part of SharePoint (e.g. W.sharePoint…., G.Epm.WebParts…).
      Be aware that certain configuration settings are required now as outlined above.
      Please ensure that the correct entries for these controls are in the web.config. If the issue persists or if you are unsure what to configure, please work with the developer of these 3rd party controls to investigate this further.
      Cheers,
      Stefan

      Reply

  8. hi, i am having the issue when i click on the “Result Sources,” “Query Rules,” “Search Result Sources,” or “Search Query Rules” page from the Search Settings section of Site Settings.

    get this issue in the logs –

    System.NullReferenceException: Object reference not set to an instance of an object.
    at Microsoft.Office.Server.Search.Internal.UI.SearchObjectAdminPageBase.ErrorHandler(Object sender, EventArgs e)
    at System.Web.UI.Page.HandleError(Exception e)
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest()
    at System.Web.UI.Page.ProcessRequest(HttpContext context)
    at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously

    it mentions on https://support.microsoft.com/en-gb/help/4484525/security-update-for-sharepoint-foundation-2013-sept-8-2020 to use Powershell but really this isnt a fix just a workaround.

    Reply

    1. Hi Matt,
      yes – it is a workaround till a fix has been released.
      The fix is currently planned for October CU.
      Cheers,
      Stefan

      Reply

      1. Thanks Stefan for the heads up. much appericated.

        Reply

  9. Hi Stefan,

    We have installed Sep 2020 security patches in Sharepoint 2013 environment. While search services and everything fine custom search is not working. We getting this error “Unknown server tag ‘SharePoint:BrowseStyleBlock’ ” while trying to search something. Can you please me on this issue.

    Regards,
    Naga

    Reply

    1. Hi Naga,
      this should be fixed if you install the complete September CU rather than just the security fix.
      Cheers,
      Stefan

      Reply

  10. Applied September 2020 CU to Sharepoint 2016 An error occurred during the processing of /searchadministration.aspx. Code blocks are not allowed in this file

    When I try to access in Central Admin, then Manage services, click on “Search Service Application, I get the following error

    “Sorry, something went wrong
    An error occurred during the processing of /searchadministration.aspx. Code blocks are not allowed in this file”

    I tried applying the following to Central admin web.config, but did not resolves it.

    Uls log

    Timestamp
    Process
    TID Area Category EventID Level Message
    Correlation
    10/01/2020 01:04:38.23 w3wp.exe (Server:0x2084)
    0x2794 SharePoint Foundation
    Logging Correlation Data
    xmnv Medium
    Name=Request (GET:http://Server01:10000/searchadministration.aspx?appid=e699f757-c9a5-4744-b6b5-a3de117c5b5d)
    004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.25 w3wp.exe (Server0x2084)
    0x2794 SharePoint Foundation
    Logging Correlation Data
    xmnv Medium
    Site=/ 004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.25 w3wp.exe (Server:0x2084)
    0x2794 SharePoint Foundation
    Runtime
    tkau Unexpected
    System.Web.HttpException: Code blocks are not allowed in this file. at System.Web.UI.TemplateParser.ProcessError(String message) at System.Web.UI.TemplateParser.EnsureCodeAllowed() at System.Web.UI.TemplateParser.ProcessCodeBlock(Match match, CodeBlockType blockType, String text) at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding) at System.Web.UI.TemplateParser.ParseString(String text, VirtualPath virtualPath, Encoding fileEncoding) 004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.25 w3wp.exe (Server:0x2084)
    0x2794 SharePoint Foundation
    WOPI aubgn Monitorable
    SPOIncidentsDetectionJob.UpdateErrorTextsIfNeeded: System.InvalidOperationException: Nullable object must have a value. at System.ThrowHelper.ThrowInvalidOperationException(ExceptionResource resource) at Microsoft.SharePoint.Administration.SPOIncidentsDetectionJob.GetSPOIncidentBitStatus() at Microsoft.SharePoint.Administration.SPOIncidentsDetectionJob.UpdateErrorTextsIfNeeded(String& errorText, String& linkText, String& linkUrl, Boolean& shouldIgnoreLinkValidation)
    004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.25 w3wp.exe (Server:0x2084)
    0x2794 SharePoint Foundation
    General
    aat87 Monitorable
    004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.26 w3wp.exe (Server :0x2084)
    0x2794 SharePoint Foundation
    Micro Trace
    uls4 Medium
    Micro Trace Tags: 0 avwhy,0 nasq,0 az4z8,0 avwhz,0 aytib,0 avwh6,0 az4z8,0 agb9s,0 ajd6k,0 ajd6l,0 avwh7,0 avwh8,0 avwh0,0 a0t92,0 a08yd,0 a0t94,0 a0t97,0 a0t98,0 arc5u,14 ab3dt,0 ajoij,0 ax0ru,0 abnwl,2 az4z8,0 avwh1,5 avwhw,0 9tmwc,0 8nca,0 tkau,0 ajlz0,0 aw5fv,0 aw5f0,0 aw5f1,0 aubgp,0 aw5fz,0 aubgn,0 aat87,1 agxkz,0 avwh5,0 avwhx,0 aytib,0 avwia,0 avwib,0 avwic
    004f7f9f-7ddd-004f-9044-4f005639bb57
    Any help would be greatly helpful!!

    Reply

    1. Hi Mike,
      a couple of things to check:
      1) did you install both fixes (language independent and dependent?
      2) did you run the SharePoint config wizard after you installed these two fixes?
      That should address all issue with uncustomized SharePoint pages.
      If the steps above did not help I assume you customized the searchadministration.aspx page.
      Cheers,
      Stefan

      Reply

  11. Hi Stefan!

    I fixed issues from semptember’s KBs, but now I have this error from windows event:

    Microsoft.SharePoint

    at Microsoft.SharePoint.Utilities.SPUtility.MakeBrowserCacheSafeLayoutsUrl(String name, Boolean localizable, Int32 desiredVersion)
    at Microsoft.SharePoint.WebControls.CssLink.SetupDialogCSS()
    at Microsoft.SharePoint.WebControls.CssLink.OnLoad(EventArgs e)
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    Could you help me?

    Reply

    1. Hi G,
      this is not an error – this is just a callstack potentially complementing the error message.
      What is the actual error message you see?
      Thanks
      Stefan

      Reply

      1. Hi Stefan, thans for your help.

        I’ve opened the log file located in C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS\

        and I’ve found this:

        DelegateControl: Exception thrown while adding control ‘Microsoft.SharePoint.Portal.WebControls.SearchBoxEx’: System.Threading.ThreadAbortException: Thread was being aborted.
        at System.Threading.Thread.AbortInternal()
        at System.Threading.Thread.Abort(Object stateInfo)
        at System.Web.HttpResponse.AbortCurrentThread()
        at Microsoft.SharePoint.Portal.WebControls.SPSCommon.StopProcessingRequestIfNotNeeded(Page page)
        at Microsoft.SharePoint.Portal.WebControls.WebPartLoc.StopProcessingRequestIfNotNeeded()
        at Microsoft.SharePoint.Portal.WebControls.SearchBoxEx.OnInit(Object sender, EventArgs e)
        at System.Web.UI.Control.OnInit(EventArgs e)
        at System.Web.UI.Control.InitRecursive(Control namingContainer)
        at System.Web.UI.Control.AddedControl(Control control, Int32 i……ndex)
        at Microsoft.SharePoint.WebControls.DelegateControl.AddControlResilient(Control ctl)

        Reply

        1. This is strange. The error indicates that the server detected that the TCP connection between the client and the server no longer exists. In this case the server stops processing the page as no client is listening on the connection any longer and processing the request is a waste of resources.

          Do you have any proxy or other edge device in front of your server which could cause this?

          If you cannot resolve this on your own I would recommend to open a ticket with Microsoft to get this analyzed.

          Cheers,
          Stefan

          Reply

  12. Hi,
    Solution applied for our SP 2013 Enterprise farms (x3):

    Problem:
    In central administration, error “autoeventwireup” when clicking on powerpivot Dashboard page.

    Solution\workaround:
    SP 2013 / PowerPivot DashBoard Issue “autoeventwireup”
    In Central Administration web.config:

    Not the best solution but this workaround is available until next CU in few days 😉
    Best regards.

    Reply

    1. Hi, Could you please let us know the solution applied to resolve the issue for powerpivot dashboard page ?

      Reply

      1. Hi,

        In web.config on each SP Server, add this line:

        to obtain this:

        That works for us, perhaps this is not the best security solution but I must to go ahead.
        Let me know if you find a better solution.
        Best regards.

        Loïc WENDEL

        Reply

  13. Copy/paste from OneNote seems to work but text disapears after save action.
    In web.config on each SP Server, add this line:

    to obtain this:

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.