SharePoint 2010 Safeguard Against XSS

XSS, better known as cross site scripting, is a term given to script injection techniques used by attackers to inject malicious scripts into web pages. The common way to attack is to inject JavaScript into the data entry columns and form fields, to achieve effects such as bypassing user authentication; retrieving, modifying, or deleting important user data; redirecting users to malicious websites; and so on. Without proper safeguards, XSS attacks can be fatal in the case of SharePoint 2010, due to a comprehensive client-side object model introduced in SharePoint 2010.

To equip yourself to better deal with XSS attacks, you must understand the new safeguards provided by SharePoint 2010 against XSS attacks. Unlike SharePoint 2007, in SharePoint 2010 users with Contributor privileges can no longer modify web part properties. To alter this default behavior, SharePoint 2010 introduces a new attribute called SafeAgainstScript that you can modify while registering your web part as a safe control in the site’s web.config. By default this attribute is set to false; changing it to true, would restore the SharePoint 2007 behavior and every user with appropriate privileges would be able to modify the web part properties. Another attribute, RequiresDesignerPermissionAttribute (false by default), allows the users with designer permissions to modify the properties of your web part. You can decorate your web part class with this attribute and once set to true, no matter what the value of SafeAgainstScript is, only the user with designer permissions would be able to alter your web part properties. Apart from safeguards against the XSS attacks, correct configuration of the previous attributes is important, since now by default the contributors cannot modify your web part properties as they could in SharePoint 2007.