Important: This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

Symptoms

After you install the following September security updates for SharePoint Server, some Web Part Pages Web Service methods may be blocked. Additionally, event tags "6loz1" or "5mh3d" are logged in SharePoint Unified Logging System (ULS) logs. 

Cause 

To strengthen the security of SharePoint, enhanced security checks were added to the RenderWebPartForEdit method to block controls which contain the property traversal character "." in their attributes by default. This may cause existing Web Part Pages Web Service methods to be blocked.

Workaround

Warning: The default SafeControls in SharePoint's web.config file have gone through a security review and have had their AllowPropertiesTraversal attribute set based on whether they're considered safe for use with a property traversal character in their attributes. Users should do a security review before setting any additional SafeControls AllowPropertiesTraversal attributes to true to make sure that they are safe for use with a property traversal character in their attribute values.

To work around this issue, unblock controls that are blocked by the security checks.

First, look for event tags "6loz1" and "5mh3d" in the SharePoint ULS logs. These event tags contain information about which controls were blocked due to having a property traversal character "." in their attribute value. For example:

6loz1 Unsafe control=<TypeName>, <AssemblyName>, <AssemblyVersion>, <AssemblyLanguageSetting>, <AssemblyPublicKey> for having property traversal char in attribute value.

Next, examine the blocked control to ensure it's safe with a property traversal character in the attribute value. If it is safe, look for the <SafeControl> for that control in the <Configuration/SharePoint/SafeControls> node in the web.config file of your web applications, and add the AllowPropertiesTraversal="True" attribute to it. If you can't find the <SafeControl> for that control in that node, add a <SafeControl> element for it with the AllowPropertiesTraversal="True" attribute. Following is an example:

<SafeControl

    Assembly="CustomSolution.AssemblyName, Version=1.2.3.4,Culture=neutral, PublicKeyToken=11aa22bb33cc44dd"

    Namespace="CustomSolution.AssemblyName.NameSpace"

    TypeName="AffectedClass"

    AllowRemoteDesigner="True" Safe="True" SafeAgainstScript="True" AllowPropertiesTraversal="True"/>

Need more help?

Expand your skills

EXPLORE TRAINING >

Get new features first

JOIN MICROSOFT INSIDERS >

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×