Trending issue: after installing September 2020 CU and PU custom pages and controls fail to render

After reading this blog post, please also have a look at the following article which includes a recent improvement for PageParserPath

September 2020 included a several important security fixes for all supported versions of Sharepoint (2010, 2013, 2016 and 2019).
Some of these security fixes have tightend the security requirements for 1st party and 3rd party solutions integrated with SharePoint.

Affected Microsoft Products which integrate with SharePoint and which are affected by this change include Microsoft Identity Manager (MIM) portal pages and Dynamix AX.

Here is a quick summary of the requirements which are enforced now:

  • code behind classes and web parts need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • custom user controls (ascx pages) need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • custom server controls need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • inline code blocks in pages are blocked. Pages which require that have to be whitelisted explicitly using <PageParserPath…> entries in the web.config
  • declarative statements in pages and master pages which invoke server side code (e.g. autoeventwireup, enablesessionstate, serverside event receivers for page actions, …) are blocked. Pages which require that have to whitelisted explicitly using <PageParserPath…> entries in the web.config

 

Symptoms

One or more of the following error message can occur for an affected page:

  • The attribute ‘autoeventwireup’ is not allowed in this page.
  • The attribute ‘enablesessionstate’ is not allowed in this page.
  • Code blocks are not allowed in this file.
  • The event handler ‘…’ is not allowed in this page. (… is a place holder and can mean any event type like OnClick, OnSelectedIndexChanged, …)
  • UnsafeControlException: A Web Part or Web Form Control on this Page cannot be displayed or imported. The type could not be found or it is not registered as safe.
  • The referenced file ‘/_layouts/somedirectory/affectedusercontrol.ascx’ is not allowed on this page.

 

Solution

Important: you should only whitelist affected pages and controls if these pages and controls are ghosted and remain ghosted. Ghosted means that they are deployed to the file system through custom solutions and are not modified afterwards using tools like SharePoint designer. Unghosted pages live in the SharePoint database while ghosted pages live on the file system. Modifications done through unghosting are not under the control of a SharePoint administrator and they should therefor be treated as unsafe and should not be unblocked.

 

Examples for web.config entries which can help to whitelist pages:

For blocked code behind files and server controls you need to whitelist the relevant classes using SafeControl elements similar to the following:

<SafeControl
   Assembly="CustomSolution.AssemblyName, Version=1.2.3.4,Culture=neutral, PublicKeyToken=11aa22bb33cc44dd"
   Namespace="CustomSolution.AssemblyName.NameSpace"
   TypeName="AffectedClass"
   AllowRemoteDesigner="True" Safe="True" SafeAgainstScript="True" />

Assembly, Namespace and TypeName in the above example has to be adjusted to reflect the information for the affected class.

If all controls and classes in a given assembly and namespace are safe you can use “*” as wildcard for the TypeName to whitelist all controls and classes at once. Please review your code carefully before applying this step to ensure that you are only whitelisting classes which are intended to be used in the affected pages.

 

To whitelist a directory hosting the affected user controls (.ascx) use a SafeControl element with the following syntax:

<SafeControls>
    <SafeControl Src="~/_layouts/somedirectory/*" IncludeSubFolders="True" Safe="True" AllowRemoteDesigner="True" SafeAgainstScript="True" />
</SafeControls>

or

<SafeControls>
    <SafeControl Src="~/_layouts/somedirectory/*" IncludeSubFolders="True" Safe="True" />
</SafeControls>

To whitelist pages or master pages which have inline code or include declarative statements which invoke server side code you need to whitelist them using a PageParserPath element similar to the following:

<SafeMode MaxControls="200" CallStack="false" DirectFileDependencies="15" TotalFileDependencies="250" AllowPageLevelTrace="false">
    <PageParserPaths>
        <PageParserPath VirtualPath="/<relativepath>/page.aspx" CompilationMode="Always" AllowUnsafeControls="true" AllowServerSideScript="true" />
    </PageParserPaths>
</SafeMode>

Important: do not add IncludeSubFolders=”True” in this line when specifying a specific page as above!

VirtualPath is the server relative path starting at the root of your web application. In case you are using the same user control in multiple sites or collections you need to add a separate entry for each occurance.

To whitelist all controls in a given directory you can use the following syntax:

<SafeMode MaxControls="200" CallStack="false" DirectFileDependencies="15" TotalFileDependencies="250" AllowPageLevelTrace="false">
    <PageParserPaths>
        <PageParserPath VirtualPath="/<relativepath>/*" CompilationMode="Always" AllowUnsafeControls="true" AllowServerSideScript="true" IncludeSubFolders="True"/>
    </PageParserPaths>
</SafeMode>

Important: do NOT add VirtualPath=”/*” as this would effectively disable the security fix which was released in September 2020. Instead ensure to be a specific as possible for the VirtualPath to ensure that only pages are enabled which contain code that has been verified to be safe.

DirectFileDependencies indicates the number of allowed direct file dependencies. If you receive an error message such as “The number of allowed direct file dependencies exceeds the limit,” you can increase this value.

 

To simplify adding the PageParserPath elements to the web.config you can use the following powershell script created by Joe Rodgers which ensures that the entry is set on all servers in your farm:

https://gist.github.com/joerodgers/91e8d70ae477ab84fe41c9395ffdcd82

 

More information

See the following KB article for more information:

  • KB 4584132 – Ghosted pages in SharePoint don’t render

85 Comments


  1. Ciao Stefan,
    thank you for your post!
    Regarding your post about some fixes that will cause problems on SharePoint… I don’t understand the connection between the MIM and the problem pointed out by you… MIM portal pages…what means?

    I have a MIM solution installed on another server for synchronize user profile value from SAP to SharePoint
    but we dont have WebPart or custom page.
    I would like some more clarification about your post 🙂

    Thank you very much!

    Reply

    1. sorry for the smile!! I don’t know how it came out! sorry

      Reply

      1. No worries – it was a problem in the CSS styles of my blog.
        I have fixed it now.

        Reply

        1. Ciao Stefan,
          thank you for your post!

          Regarding your post about some fixes that will cause problems on SharePoint… I don’t understand the connection between the MIM and the problem pointed out by you… MIM portal pages…what means?

          I have a MIM solution installed on another server for synchronize user profile value from SAP to SharePoint(witth a custom .DLL )
          but we dont have WebPart or custom page.
          I would like some more clarification about your post for understand if our SharePoint 2013 farm will be affected.

          Thank you!

          Reply

  2. PowerPivot is concerned in SP 2013 when accessing to admin pages in Central Administration.

    Reply

    1. Hi Loic,
      I don’t have a system in this configuration.
      Would be great if you could share here the affected controls/pages and how you solved it.
      It would certainly help the community.
      Thanks,
      Stefan

      Reply

      1. Hi,
        I hope your post will help me.
        Actually, in SP 2013, in Central Administration, Application Management, Manage Services application, PowerPivot Service Application, the access to the ServiceAppDashboard.aspx generates the “attribute autoeventwireup is not allowed in this page” error.
        Let see this problem next Week.
        Thanks to your to share this kind of information.
        Loïc

        Reply

        1. Hi Loic,
          ok, for this issue a PageParserPath needs to be configured. Be aware that after this is solved also some SafeControl elements might be required to fix it. Such issues are often hidden behind the issue you see right now as the inline code check fires first before binary references are evaluated.
          Cheers,
          Stefan

          Reply

          1. Hi Stefan, I am experiencing this same error on my 2016 env, “after the sept 2020 cu”, I have added the PageParserPath and am now getting this error “WebPartPageUserException: This page has encountered a critical error.” How can I find which SafeControl elements should be added?


          2. Hi WVZ,
            please evaluate the error details in the ULS log. They should help you to identify the issue.
            If you need further assistance I would recommend to open a support case with Microsoft.
            Cheers,
            Stefan


  3. Hi Stefan,

    Will October CU fix this issue? Do you recommend to wait for October CU for users who do not install September CU yet?

    -Yuseon

    Reply

    1. Hi Yuseon,
      there seems to be a misunderstanding: this is not a regression or a problem that was introduced.
      This behavior was introduced to solve a security issue through a security fix.
      I do not see that this behaviour would be changed or reverted going forward.
      Expect this to be the new normal which needs to be taken into consideration when developing custom applications for SharePoint.
      Cheers,
      Stefan

      Reply

  4. Hi Stefan,

    In our case, after applying the CU, accessing the search main page (https://oursearch/Pages/default.aspx), gives us the following error: Unknown server tag ‘SharePoint:BrowseStyleBlock’. We have checked for Register tags on master pages and so, but no luck. Any hint?

    Reply

    1. Hi Ismael,
      I haven’t seen this but this seems to be an unrelated issue as it is not a blocked page or control but an unknown tag in a page.
      My recommendation would be to open a ticket with Microsoft Support.
      Cheers,
      Stefan

      Reply

      1. Many thanks, good to know that at least is not related to blocked pages or control ones.

        Cheers,
        Ismael

        Reply

        1. The SharePoint:BrowseStyleBlock issue can occur if KB 4484515 was installed without 4484525. There is a dependency between them.

          Reply

          1. Search Center results pages were broken for us with the same error: ‘Unknown server tag ‘SharePoint:BrowseStyleBlock’.
            Installing KB 4484525 fixed the issue. Thanks so much for the solution @Ed Barnes!


  5. Added this to our 2013 environment and this resolved the conflicts we noticed.

    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards.TransformerConfigurationRecord" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards.TransformerConfigurationRecord" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.WebControls, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards.WebControls" TypeName="*" />
    <SafeControl Assembly="Microsoft.PerformancePoint.Scorecards.WebControls, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards.WebControls" TypeName="*" />

    Note: “Microsoft.PerformancePoint.Scorecards.WebControls” already existed.

    Reply

    1. Hi Matt,
      thanks Matt!
      No PageParserPath elements were required?
      Cheers,
      Stefan

      Reply

    2. Above Safe Controls worked perfectly for us, Thanks Matt!

      Reply

  6. Not yet but that farm doesn’t have much as 99% is moved to 2019. So far our 2019 has no known issues based on our regular test cases but we are holding off on promoting this to Stage/Prod until more testing is performed.

    Thank you very much for posing this and everything you have been doing.

    Reply

    1. Thanks Mark! I will reference it in the article above.

      Reply

  7. Hi,

    we’ve a custom pages on sharepoint 2013 enviroment,

    after applying this securty update, we got many System.NullReferenceException
    Object reference not set to an instance of an object.

    below erro logs from some of these pages

    System.NullReferenceException: Object reference not set to an instance of an object.
    at W.SharePoint.Item.GetService(Type serviceType)
    at W.Extensions.GetService[T](IServiceProvider serviceProvider, Boolean required)
    at W.SharePoint.Solutions.ObjectModel.WorkflowTaskInstance.get_TaskConfiguration()
    at W.SharePoint.Solutions.WorkflowContext.get_TaskConfiguration()
    at W.SharePoint.Solutions.UI.Controls.TaskFormPlaceholder.OnInit(EventArgs e)
    at System.Web.UI.Control.InitRecursive(Control namingContainer)
    at System.Web.UI.Control.InitRecursive(Control namingContainer)
    at System.Web.UI.Control.AddedControl(Control control, Int32 index)
    at Microsoft.SharePoint.WebPartPages.ListFormWebPart.CreateChildControls()
    at System.Web.UI.Control.E… cb5f7e9f-0f0c-5006-2e69-55b98c7f771d

    System.NullReferenceException: Object reference not set to an instance of an object. at G.Epm.WebParts.PWAWebParts.RedirectUsers.RedirectUsersUserControl.Page_Load(Object sender, EventArgs e)

    at System.Web.UI.Control.OnLoad(EventArgs e)
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.AddedControl(Control control, Int32 index)
    at G.Epm.WebParts.PWAWebParts.RedirectUsers.RedirectUsers.CreateChildControls()
    at System.Web.UI.Control.EnsureChildControls()
    at System.Web.UI.Control.PreRenderRecursiveInternal()
    at System.Web.UI.Control.PreRenderRecursiveInternal()
    at System.Web.UI.Control.PreRenderRecursiveInternal()
    at System.Web.UI.Control.PreRenderRecursiveInternal()
    at System.Web.UI.Control.PreRenderRe

    could you please help ?

    Reply

    1. Hi Ahmad,
      the exceptions all seem to originate in 3rd party controls as the relevant namespaces are not part of SharePoint (e.g. W.sharePoint…., G.Epm.WebParts…).
      Be aware that certain configuration settings are required now as outlined above.
      Please ensure that the correct entries for these controls are in the web.config. If the issue persists or if you are unsure what to configure, please work with the developer of these 3rd party controls to investigate this further.
      Cheers,
      Stefan

      Reply

  8. hi, i am having the issue when i click on the “Result Sources,” “Query Rules,” “Search Result Sources,” or “Search Query Rules” page from the Search Settings section of Site Settings.

    get this issue in the logs –

    System.NullReferenceException: Object reference not set to an instance of an object.
    at Microsoft.Office.Server.Search.Internal.UI.SearchObjectAdminPageBase.ErrorHandler(Object sender, EventArgs e)
    at System.Web.UI.Page.HandleError(Exception e)
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest()
    at System.Web.UI.Page.ProcessRequest(HttpContext context)
    at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously

    it mentions on https://support.microsoft.com/en-gb/help/4484525/security-update-for-sharepoint-foundation-2013-sept-8-2020 to use Powershell but really this isnt a fix just a workaround.

    Reply

    1. Hi Matt,
      yes – it is a workaround till a fix has been released.
      The fix is currently planned for October CU.
      Cheers,
      Stefan

      Reply

      1. Thanks Stefan for the heads up. much appericated.

        Reply

      2. Hello Stefan,

        Thanks for sharing this KB.

        We have fixed the issue occurred after applying September CU for our SharePoint 2013 environment by updating web.config.

        Is this issue still exists or fixed in Nov 2020 CU updates, or we still need to keep looking for permanent solution instead of updating web.config after each CU updates ?

        Best Regards,
        Meena

        Reply

        1. Hi Meena,
          this is not an issue – this is now by design to address certain security problems.
          These changes should not be reverted through a CU installation.
          Cheers,
          Stefan

          Reply

  9. Hi Stefan,

    We have installed Sep 2020 security patches in Sharepoint 2013 environment. While search services and everything fine custom search is not working. We getting this error “Unknown server tag ‘SharePoint:BrowseStyleBlock’ ” while trying to search something. Can you please me on this issue.

    Regards,
    Naga

    Reply

    1. Hi Naga,
      this should be fixed if you install the complete September CU rather than just the security fix.
      Cheers,
      Stefan

      Reply

  10. Applied September 2020 CU to Sharepoint 2016 An error occurred during the processing of /searchadministration.aspx. Code blocks are not allowed in this file

    When I try to access in Central Admin, then Manage services, click on “Search Service Application, I get the following error

    “Sorry, something went wrong
    An error occurred during the processing of /searchadministration.aspx. Code blocks are not allowed in this file”

    I tried applying the following to Central admin web.config, but did not resolves it.

    Uls log

    Timestamp
    Process
    TID Area Category EventID Level Message
    Correlation
    10/01/2020 01:04:38.23 w3wp.exe (Server:0x2084)
    0x2794 SharePoint Foundation
    Logging Correlation Data
    xmnv Medium
    Name=Request (GET:http://Server01:10000/searchadministration.aspx?appid=e699f757-c9a5-4744-b6b5-a3de117c5b5d)
    004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.25 w3wp.exe (Server0x2084)
    0x2794 SharePoint Foundation
    Logging Correlation Data
    xmnv Medium
    Site=/ 004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.25 w3wp.exe (Server:0x2084)
    0x2794 SharePoint Foundation
    Runtime
    tkau Unexpected
    System.Web.HttpException: Code blocks are not allowed in this file. at System.Web.UI.TemplateParser.ProcessError(String message) at System.Web.UI.TemplateParser.EnsureCodeAllowed() at System.Web.UI.TemplateParser.ProcessCodeBlock(Match match, CodeBlockType blockType, String text) at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding) at System.Web.UI.TemplateParser.ParseString(String text, VirtualPath virtualPath, Encoding fileEncoding) 004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.25 w3wp.exe (Server:0x2084)
    0x2794 SharePoint Foundation
    WOPI aubgn Monitorable
    SPOIncidentsDetectionJob.UpdateErrorTextsIfNeeded: System.InvalidOperationException: Nullable object must have a value. at System.ThrowHelper.ThrowInvalidOperationException(ExceptionResource resource) at Microsoft.SharePoint.Administration.SPOIncidentsDetectionJob.GetSPOIncidentBitStatus() at Microsoft.SharePoint.Administration.SPOIncidentsDetectionJob.UpdateErrorTextsIfNeeded(String& errorText, String& linkText, String& linkUrl, Boolean& shouldIgnoreLinkValidation)
    004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.25 w3wp.exe (Server:0x2084)
    0x2794 SharePoint Foundation
    General
    aat87 Monitorable
    004f7f9f-7ddd-004f-9044-4f005639bb57
    10/01/2020 01:04:38.26 w3wp.exe (Server :0x2084)
    0x2794 SharePoint Foundation
    Micro Trace
    uls4 Medium
    Micro Trace Tags: 0 avwhy,0 nasq,0 az4z8,0 avwhz,0 aytib,0 avwh6,0 az4z8,0 agb9s,0 ajd6k,0 ajd6l,0 avwh7,0 avwh8,0 avwh0,0 a0t92,0 a08yd,0 a0t94,0 a0t97,0 a0t98,0 arc5u,14 ab3dt,0 ajoij,0 ax0ru,0 abnwl,2 az4z8,0 avwh1,5 avwhw,0 9tmwc,0 8nca,0 tkau,0 ajlz0,0 aw5fv,0 aw5f0,0 aw5f1,0 aubgp,0 aw5fz,0 aubgn,0 aat87,1 agxkz,0 avwh5,0 avwhx,0 aytib,0 avwia,0 avwib,0 avwic
    004f7f9f-7ddd-004f-9044-4f005639bb57
    Any help would be greatly helpful!!

    Reply

    1. Hi Mike,
      a couple of things to check:
      1) did you install both fixes (language independent and dependent?
      2) did you run the SharePoint config wizard after you installed these two fixes?
      That should address all issue with uncustomized SharePoint pages.
      If the steps above did not help I assume you customized the searchadministration.aspx page.
      Cheers,
      Stefan

      Reply

  11. Hi Stefan!

    I fixed issues from semptember’s KBs, but now I have this error from windows event:

    Microsoft.SharePoint

    at Microsoft.SharePoint.Utilities.SPUtility.MakeBrowserCacheSafeLayoutsUrl(String name, Boolean localizable, Int32 desiredVersion)
    at Microsoft.SharePoint.WebControls.CssLink.SetupDialogCSS()
    at Microsoft.SharePoint.WebControls.CssLink.OnLoad(EventArgs e)
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    Could you help me?

    Reply

    1. Hi G,
      this is not an error – this is just a callstack potentially complementing the error message.
      What is the actual error message you see?
      Thanks
      Stefan

      Reply

      1. Hi Stefan, thans for your help.

        I’ve opened the log file located in C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS\

        and I’ve found this:

        DelegateControl: Exception thrown while adding control ‘Microsoft.SharePoint.Portal.WebControls.SearchBoxEx’: System.Threading.ThreadAbortException: Thread was being aborted.
        at System.Threading.Thread.AbortInternal()
        at System.Threading.Thread.Abort(Object stateInfo)
        at System.Web.HttpResponse.AbortCurrentThread()
        at Microsoft.SharePoint.Portal.WebControls.SPSCommon.StopProcessingRequestIfNotNeeded(Page page)
        at Microsoft.SharePoint.Portal.WebControls.WebPartLoc.StopProcessingRequestIfNotNeeded()
        at Microsoft.SharePoint.Portal.WebControls.SearchBoxEx.OnInit(Object sender, EventArgs e)
        at System.Web.UI.Control.OnInit(EventArgs e)
        at System.Web.UI.Control.InitRecursive(Control namingContainer)
        at System.Web.UI.Control.AddedControl(Control control, Int32 i……ndex)
        at Microsoft.SharePoint.WebControls.DelegateControl.AddControlResilient(Control ctl)

        Reply

        1. This is strange. The error indicates that the server detected that the TCP connection between the client and the server no longer exists. In this case the server stops processing the page as no client is listening on the connection any longer and processing the request is a waste of resources.

          Do you have any proxy or other edge device in front of your server which could cause this?

          If you cannot resolve this on your own I would recommend to open a ticket with Microsoft to get this analyzed.

          Cheers,
          Stefan

          Reply

  12. Hi,
    Solution applied for our SP 2013 Enterprise farms (x3):

    Problem:
    In central administration, error “autoeventwireup” when clicking on powerpivot Dashboard page.

    Solution\workaround:
    SP 2013 / PowerPivot DashBoard Issue “autoeventwireup”
    In Central Administration web.config:

    Not the best solution but this workaround is available until next CU in few days 😉
    Best regards.

    Reply

    1. Hi, Could you please let us know the solution applied to resolve the issue for powerpivot dashboard page ?

      Reply

      1. Hi,

        In web.config on each SP Server, add this line:

        to obtain this:

        That works for us, perhaps this is not the best security solution but I must to go ahead.
        Let me know if you find a better solution.
        Best regards.

        Loïc WENDEL

        Reply

  13. Copy/paste from OneNote seems to work but text disapears after save action.
    In web.config on each SP Server, add this line:

    to obtain this:

    Reply


  14. In enterprise portal page of Dynamix AX 2012, customer came across error ‘An error occurred during the processing of /_catalogs/masterpage/defaultax.master. Code blocks are not allowed in this file.’

    I found the following in web.config

    Should I add AllowUnsafeControls=”true” as shown below, will it fix the error?

    Reply

    1. Hi Spike,
      sorry – xml/html markup will not get through in post comments.
      Cheers,
      Stefan

      Reply

  15. Hi Stefan,

    We had several custom web parts and solutions which broke after this update. After making page parser entries its not complaining about code block any more but page is not loading. We are looking at the custom web parts and assuming there are several .ascx that need to be added as safe in web.config. However we cant find all of them.
    Question is will retracting and redeploying custom solutions will fix this and add all those missing assemblies and references in web.config again ?
    Thanks.

    Reply

    1. Hi Umr,
      SharePoint does not automatically add these. It is up to the solution developer to define the controls that should be registered as safe and add the entries through event receivers during the deployment.
      It is unlikely that these old solutions will include the necessary registration code.
      My suggestion is to analyze the ULS logs. It should tell you the controls that are causing issues.
      If you need assistance you have the option to open a support case with Microsoft.
      Cheers,
      Stefan

      Reply

  16. Hi Stefan,
    we have around 1300 site collections (customer portals) for which we need to add PageParserPaths, as they all use a masterpage with some code and custum programmed forms with code. We added the necessary lines to the web.config and now have the error “web.config exceeds file limit”.
    Is there a way to split those about 2600 entries (“be as specific as possible”) to other web.configs or do we have to make the “/*” entry that is strongly discouraged. I have seen the possibility to extend the file limit in registry, but I cannot estimate the consequences with this larger file.

    Any recommendations?
    Thanks, Urs

    Reply

    1. I also have the same problem, We can’t add all the pages needed to be allowed. I really don’t want to use the “/*” but at the moment have no choice!
      luckily this has not been installed in live only in UAT after testing in very flat sharepoint installs.

      There must be another way of doing this?

      Reply

  17. Hi Stefan, please help, we have four servers farm with SP 2019 + Windows server 2019 + CU Nov 2020, but we can´t create a new search service application from the Central Administration, we get this error:

    System.InvalidOperationException: Operation is not valid due to the current state of the object. at Microsoft.SharePoint.Administration.SPDatabase.Update() at Microsoft.Office.Server.Search.Administration.SearchDatabase.BaseUpdate() at Microsoft.Office.Server.Search.Administration.SearchDatabase.CreateCleanDatabase[T](String
    searchApplicationName, ISearchDatabaseParameters databaseParameters) at Microsoft.Office.Server.Search.Administration.SearchServiceApplication.Create(String name, SearchQueryAndSiteSettingsService service, SPIisWebServiceApplicationPool applicationPool, SPIisWebServiceApplicationPool
    adminApplicationPool, ISearchDatabaseParameters adminDBParameters, ISearchDatabaseParameters searchSettingsDBParameters, IEnumerable1 crawlStoreDBsParameters, IEnumerable1 analyticsStoreDBsParameters, IEnumerable1 linksStoreDBsParameters, SPPartitionOptions
    partitionOptions, Boolean cloudIndex) at Microsoft.Office.Server.Search.Administration.SearchServiceApplication.Create(String name, SearchQueryAndSiteSettingsService service, SPIisWebServiceApplicationPool applicationPool, SPIisWebServiceApplicationPool adminApplicationPool,
    ISearchDatabaseParameters adminDBParameters, ISearchDatabaseParameters searchSettingsDBParameters, IEnumerable
    1 crawlStoreDBsParameters, IEnumerable`1

    We are ok with the upgrade and migration section, each server it’s succedeed

    Thanks so much

    Reply

  18. Dear Stefan,

    Thanks for putting attention to these problems.
    I hope you could spare some time to look into my problem as well.

    I am a a real noob in coding and programming so I have tried to understand what you mention with the SafeControls part, but it is not working for me.

    This is the error I got:

    The base type ‘Microsoft.Office.Server.Search.Internal.UI.SearchAdministration’ is not allowed for this page. The type Microsoft.Office.Server.Search.Internal.UI.SearchAdministration, Microsoft.Office.Server.Search, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c could not be found or it is not registered as safe.

    And it is preventing me to open the Search Application page. I need this page to re-index our search DB.

    Could you (or anyone else) please let me know which syntax I should use in the web.config?

    Thanks in advance.

    Christian B.

    Reply

    1. Hi Christian,
      there is no need to do this for the controls coming with SharePoint.
      The error indicates that you did not run the SharePoint configuration wizard after applying the patch as the wizard will update all web.config files with the necessary changes.
      Cheers,
      Stefan

      Reply

      1. Hi Stefan,
        Thanks for your reply.
        A run of the Configuration Wizard did the trick! Thank you very much.
        I wish all problems were easy like that 🙂
        Regards,
        Christian

        Reply

  19. We use Lightning Conductor web parts and they wouldn’t display after installing the Sept CU. Got the error:

    lightningTools.WebParts.Aggregation.LightningConductorWebPart, Error: The control type ‘System.Version’ is not allowed on this page. The type System.Version, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 could not be found or it is not registered as safe.

    The vendor sent us this safe control entry key to add in our web application web config file:
    After adding it and iisreset (automatically done on save of file), they displayed again. Hope this helps someone with a similar problem, using Lightning conductor web parts and Sept CU patch.

    Reply

    1. Hi Jones,
      Can you please retype the safe control key for the Lightning Conductor WebPart, it seems it was removed/not displayed.

      Reply

  20. Hi Stefan,

    I have the issue after the Sept CU updates for SP2010.

    We have custom webparts using telerik control and after the patch it is throwing the error like below.

    ‘Telerik.Web.UI.SocialShare.GenericSocialButtonsCollection`1[[Telerik.Web.UI.RadSocialButtonBase, Telerik.Web.UI, Version=2016.1.113.35, Culture=neutral, PublicKeyToken=121fae78165ba3d4]]’ is not allowed on this page. The type is not registered as safe.

    The safe control key has been added since we went live and it has been working fine before Sept CU.

    is there anything else I can do to resolve the issue?(I know that there is work around from MS)
    https://support.microsoft.com/en-ca/help/4572409/sharepoint-pages-not-render-when-using-unsafe-controls

    Is Microsoft working on this issue to resolve?

    I’d really appreciate if you provide some of inside information.

    Thanks,
    Ryan

    Reply

    1. Hi Ryan,
      before September 2020 CU the SafeControl element has not been enforced in all situations.
      The error indicates that the SafeControl element is not correctly registered. If you need assistance to resolve this I would suggest to open a support case with Microsoft.
      About the article you quoted: this is not a workaround – that is the solution.
      About your question is Microsoft is working to resolve the issue. The seems to be a misunderstanding.
      The new behavior is not caused by a problem in SharePoint but by a design change which was required to fix a security vulnerability in SharePoint.
      All future patch levels of SharePoint will enforce the new behavior.
      Cheers,
      Stefan

      Reply

      1. Hi Stefan,

        Thank you for the information.
        The issue has been resolved as I added the masterpage to the whitelist.
        Whitelist the telerik control is not enough since our masterpage is ghosted. Your blog post comes and save me.

        Thanks,
        Ryan

        Reply

  21. Hi Stefan,

    Is this issue solved with one of the new CU?

    Reply

    1. Hi Raphael,
      there is nothing to resolve. This is a design change introduced by a security fix.
      Going forward all custom controls and all pages with server side code have to be explicily enabled in the web.config.
      Cheers,
      Stefan

      Reply

      1. Hi Stefan,
        Thank you for your response. By a customer with SPF13 we has this issue for the searchadministration.aspx page. On this page it hasn’t custom controls. When I try it in the web.config for the CA with “<PageParserPath VirtualPath=”searchadministration.aspx”…” I get an runtime error. Do you have a solution for this?

        Reply

        1. Hi Raphael,
          it sounds to me as if you did not run the SharePoint configuration wizard after installing the fix as the Config Wizard will add the relevant entries to the web.config.
          Cheers,
          Stefan

          Reply

          1. It is CU July 2020 installed and after install the SharePoint security fixes released with December 2020 PU and run the SharePoint configuration wizard we get this issue.


          2. Hi Raphael,
            in this case I would suggest to open a support case with Microsoft to get this analyzed in more detail.
            Cheers,
            Stefan


  22. Hi Stefan, I don’t normally thank people for what I find via google. But damn, you have saved me with this post I spent days redeploying features hacking master pages trying to work out what was going on. Crazy sharepoint.

    Reply

    1. Hi Matthew,
      glad to see that my post is helpful!
      Cheers,
      Stefan

      Reply

  23. Hi Stefan,

    we are facing this issue in a site migrated from SP2010 to SP2016 and facing the following issue on rendering a page.

    “This page allows a limit of 200 controls, and that limit has been exceeded”

    I read some articles and found that it is not recommended to increase the default value of MaxControls=200 in web.config files.

    Can you please suggest something? Everything works fine in SP2010 for any number of controls.

    Cheers,
    Harry.

    Reply

    1. Hi Harry,
      please open a ticket with Microsoft to get this analyzed.
      Cheers,
      Stefan

      Reply


    1. Hi John,
      just looking at the error its not possible to answer this.
      I would assume there is a problem in the custom code of this page.
      If you need assistance to get this analyzed I would recommend to open a support case with Microsoft.
      Cheers,
      Stefan

      Reply

  24. Hi Stefen,

    Customers are facing issues with Dashboards accross the sites:
    Error:
    Web Part Error: The control type
    ‘Microsoft.PerformancePoint.Scorecards.TrasnformerConfigurationRecord’ is not allowed on this page. The type Microsoft.PerformancePoint.Scorecards.TrasnformerConfigurationRecord, Microsoft.PerformancePoint.Scorecards.Client, Version=15.0.0.0,Culture=neutral, PublicKeyToken=71e9bce111e9429c could not be found or it is not registered as safe. Correlation ID: 09a7b09f-1391-2002-aefb-85b1d316b8cf

    Tried to add into the web.config the below lines but dint help:

    Tried all these below, but still error persists:

    2.

    FYI In server there is already entry with:

    for version 14 and 15

    Reply

    1. Hi Prathiba,
      did you try the solution listed above in the comments section posted by “Matt” on Sept 25th?
      Cheers,
      Stefan

      Reply

  25. Has anyone solved the Powerpivot issue in Central Administration with the error? I am uncertain how to reference this in the web.config to fix

    http://xxxserver:39779/ServiceAppDashboard.aspx

    I am able to fix it using a wildcard like this:

    But unsure how to reference the ServiceAppDashboard.aspx page directly as it does not reside in a virtual directory

    Sorry, something went wrong
    The attribute ‘autoeventwireup’ is not allowed in this page.
    Technical Details

    Go back to site

    Reply

  26. I was able to resolve the issue issue by adding but getting the following now. Any Input?

    An error occurred during the compilation of the requested file, or one of its dependencies. A using namespace directive can only be applied to namespaces; ‘custom.solution.name’ is a type not a namespace

    Reply

    1. Hi Cesar,
      it seems you specified the fully qualified name of the class rather than the containing Namespace.
      You need to ensure that you are only specifying the namespace here.
      Cheers,
      Stefan

      Reply

  27. Hello Stefan,
    Thanks for sharing the solution. Have you seen any performance related issues when using PageParser method ?

    As per the article below it can cause performance issues.

    https://docs.microsoft.com/en-us/sharepoint/troubleshoot/sites/using-pageparserpath-directive

    When PageParserPath directive is used in combination with CompilationMode=”Always” AllowServerSideScript=”true” IncludeSubFolders=”true” property values, each page in the folders specified in the VirtualPath attribute will get compiled into “C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\root” as an App_Web_GUID.dll file. Once you edit the aspx page in SharePoint, the last modified date of the file will change and ASP.NET will recompile the page. ASP.NET will restart the application domain after 15 recompilations, which will unload all dlls from memory and run garbage collection and release all cached resources. The next request will initialize a new application domain for the web site and start compiling pages and repopulate caches, therefore the request will take more time.

    Your time and input is always appreciated.
    Thanks

    Reply

    1. Hi Umr, as you can see in the article it is not the use of the PageParserPath directive alone which causes the performance problems – it is the the combination of using this with certain properties and a large number of modifications to the files which match the scope specified in the PageParserPath directive.
      I have not seen any reports about performance problems so far – but by specifying the relevant pages directly rather than using wild cards and avoid include sub directories you can further minimize the impact.

      Reply

      1. Thanks Stefan for the response. This work around was suggested after an issue surfaced as result of patching. Do you know if need of pageparser will be removed in future patch ?

        We are seeing lots of performance related issues in on sites declared in pageparser tag. We have close to 9K sites under VirtualPath=managed path and heavily used.

        we are using pageparser as below

        Thanks again

        Reply

  28. I am having the issue of ‘autoeventwireup’ not allowed in performance point dashboard in central admin. I have added the SafeCOntrol entries from Matt in the post above and also added “VirtualPath=”/ServiceAppDashboard.aspx/*” to PageParserPaths but no luck so far. I still get the autoeventwireup error on the dashboard. Any ideas anyone?

    Reply

  29. I managed to recover the powerpivot dasboard page but none of the web parts are working. They show: “UnsafeControlException: A Web Part or Web Form Control on this Page cannot be displayed or imported. The type Microsoft.AnalysisServices.SPAddin.DataRefreshHistoryWebPart, Microsoft.AnalysisServices.SPAddin, Version=11.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91 could not be found or it is not registered as safe.” I have tried crating a safe control assembly line but where do I get the namespace? I have loooked in the ULS logs and there isn’t one there. My line looks like this so far: “SafeControl Assembly=”Microsoft.AnalysisServices.SPAddin.DataRefreshHistoryWebPart, Microsoft.AnalysisServices.SPAddin, Version=11.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91″ Namespace=” ? ” TypeName=”*”.

    Any ideas?

    Reply

    1. Have a educated guess, I’m not able to verify. Notice the pattern from the others, try Microsoft.AnalysisServices.SPAddin as namespace, if not that try Microsoft.AnalysisServices.

      -Matt

      Reply

      1. Thanks for the suggestions. None of the combinations worked. We are giving up on this and abandoning the dashboard.

        Reply

Leave a Reply to g.tava Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.