SharePoint security update causing issue

Athulya Pillai 46

Hi Team,
I am getting below error when installing latest security sharepoint update-kb5002494,KB 5002501 of
SharePoint server 2016 on windows server 2019.

Application error when access /_layouts/15/settings.aspx, Error=The control type 'System.Web.UI.HtmlControls.HtmlImage' is not allowed on this page. at System.Web.UI.TemplateParser.ProcessError(String message) at System.Web.UI.TemplateParser.ProcessBeginTag(Match match, String inputText) at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)

I tried below, but did not help
$f=get-spfarm
$f.AddGenericAllowedListValue("WebPartSupportedBoundPropertyNames","data-title-text")
$f.AddGenericAllowedListValue("WebPartSupportedBoundPropertyNames","data-link-to-tab-text")
$f.update()

iisreset

Ling Zhou_MSFT 13,185 Reputation points Microsoft Vendor

2023-11-06T01:37:15.28+00:00

Thank you for your question.

We are currently looking into this issue and will give you an update as soon as possible.

Thank you for your understanding and support.
Mark S 0 Reputation points

2023-11-28T08:46:03.8366667+00:00

Hello, wondering please was there any update on this?

Installed KB5002501 Security Update for Microsoft Sharepoint Enterprise Server 2016. Installed on Windows Server 2016.

Since installing, we get:

Error=The control type 'System.Web.UI.HtmlControls.HtmlAnchor' is not allowed on this page. at System.Web.UI.TemplateParser.ProcessError(String message) at System.Web.UI.TemplateParser.ProcessBeginTag(Match match, String inputText) at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)

I note under known issues with KB5002501:

New security enhancements in SharePoint Server might cause custom .aspx files not to be displayed under certain circumstances. Browsing to such a page generates a "92liq" event tag in SharePoint Unified Logging System (ULS) logs.

Sure enough in the ULS logs we see:

Blocking control with property traversal markup. [tagName: a][propName: data-title-text][type: BoundPropertyEntry]

So this is exactly the issue we're hitting.

However the below suggested fix does not work:

$farm = get-spfarm

$farm.AddGenericAllowedListValue(“WebPartSupportedBoundPropertyNames”,”data-title-text”)

$farm.AddGenericAllowedListValue(“WebPartSupportedBoundPropertyNames”,”data-link-to-tab-text”)

$farm.update()

Iisreset

When attempting to modify WebPartSupportedBoundPropertyNames, Sharepoint PowerShell module errors:

Exception calling "AddGenericAllowedListValue" with "2" argument(s): "An object of the type

Microsoft.SharePoint.Administration.AllowedList named "WebPartSupportedBoundPropertyNames" already exists under the parent Microsoft.SharePoint.Administration.SPFarm named "SharePoint_central_config". Rename your object or delete the existing object."

There doesn't seem to be any ability to remove. I have tried running $farm.RemoveGenericAllowedListValue(“WebPartSupportedBoundPropertyNames”,”data-title-text”) first but it makes no difference when later attempting to run the add.

I have also tried the kind suggestion here from @Ling Zhou_MSFT regards modifying web.config, but it makes no difference.

At this point I see little choice but to restore the farm to before I installed KB5002501, however that is less than ideal obviously. Any ideas are appreciated, thanks.

3 answers

Ling Zhou_MSFT 13,185 Reputation points Microsoft Vendor

2023-11-06T05:53:17.59+00:00
Hi @Athulya Pillai,

Thank you for posting in this community.

The cause of the problem: An allow list of ASP.NET controls is enforced in SharePoint 2016 after you install updates. If web parts or controls on the SharePoint pages are not added to the allow list, the pages do not render.

Solution:

1.Find your web application's web.config file. The approximate path should be:

the address of your installation:\inetpub\wwwroot\wss\VirtualDirectories\ the port number of your web applicaiton

2.Find the <SafeControls> tag and add the following to it:

<SafeControl Assembly="System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" Namespace="System.Web.UI.HtmlControls" TypeName="*" Safe="True" AllowRemoteDesigner="True" SafeAgainstScript="False" />

You can refer to your other System.Web.UI.WebControls values for the values of Version and PublicKeyToken, just be consistent with them.

3.Save the file and restart IIS.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Athulya Pillai 46 Reputation points

2023-11-06T15:49:21.4+00:00

will test and update here. Thank you

Ling Zhou_MSFT 13,185 Reputation points Microsoft Vendor

2023-11-08T01:06:31.18+00:00

Hi @Athulya Pillai,

Please kindly consider this comment as a warm follow up, I want to know if your problem has been solved. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If it doesn't work, please let us know the progress. By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Ling Zhou_MSFT 13,185 Reputation points Microsoft Vendor

2023-11-20T05:43:28+00:00

Hi @Athulya Pillai,

I am kindly following up to see if you have any remaining questions or concerns for this issue. . If the answer is helpful, please click "Accept Answer" and kindly upvote it. If it doesn't work, please let us know the progress. By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.
Sign in to comment
Athulya Pillai 46 Reputation points

2023-11-20T10:17:47.7733333+00:00

hi,

Please give me aday time, Tomorrow i will provide you the update
Please sign in to rate this answer.
Athulya Pillai 46 Reputation points

2023-11-20T16:10:07.3633333+00:00

I tried adding this solution.
It did not help, still same issue

Ling Zhou_MSFT 13,185 Reputation points Microsoft Vendor

2023-11-22T01:23:04.5466667+00:00

Hi @Athulya Pillai,

I am sorry that my method didn't solve your problem. As I was unable to replicate your problem on my end and didn't find any other information about your problem. We apologize that we can't provide further information on how to solve your problem, therefore we recommend you to open a ticket and ask for it.

Please accept my sincerely apologize for any in convenience this may cause. Thank you for your kind understanding.
Sign in to comment
Gábor Nagypál 0 Reputation points

2024-04-19T10:07:39.6733333+00:00
We bumped into "The control type 'System.Web.UI.HtmlControls.HtmlAnchor' is not allowed on this page." error. The ULS log also contains this entry:

Blocking control with property traversal markup. [tagName: a][propName: data-viewctr][type: SimplePropertyEntry]

The following article describes how to add 'data-viewctr' to 'WebPartSupportedSimplePropertyNames' list:

ASPX file cannot be displayed when you create a custom web part (KB5030804)

The final version of our workaround script:

$f=get-spfarm $f.AddGenericAllowedListValue("WebPartSupportedSimplePropertyNames","data-viewctr") $f.update() IISRESET
Please sign in to rate this answer.

0 comments No comments
Sign in to comment