Why is my control working even though I don’t have a SafeControl entry?

This one came as a surprise to me.  Customer pushes out a master page to all their site collections using a solution and feature.  The master page has a server control that renders some information, so the control should have a SafeControl entry in the web.config file.  Oddly enough, the sites render using the master page, including the server control, without any issues…and there is not a SafeControl entry for the control in the config file.

As it turns out, SharePoint only uses the SafeControl entries when rendering customized pages.  When the master page is deployed using the solution and a feature, the file is uncustomized at that point, and the control will render just fine.  Once you touch the page with SharePoint Designer, or in this case use export/import on a site, the master page gets customized and the SafeControl entries are in play, resulting in the site failing to render.  Here’s some documentation for your perusal, highlighting was added to point out the important bits.


“Safe Controls

Safe mode processing goes a step beyond protecting against in-line script by also considering what controls a user might place on a customized page. For example, imagine a scenario in which a site administrator tries to mount an attack by adding a server-side control to a site page and parameterizing it in a certain way. Safe mode allows the farm administrator to determine which controls can be used in pages that are processed in safe mode.

Customized pages can only contain server-side controls that are explicitly registered as safe controls. Registering a control as a safe control is accomplished by adding a SafeControl entry into the web.config file for the hosting Web application.”


Just for completeness, here’s the error and a screenshot of what you get when the SafeControl entry is missing.

“The base type ‘TestControl.DemoMaster’ is not allowed for this page. The type is not registered as safe.”