If you’ve written code that uses the SharePoint object model and calls the Update() method on SharePoint objects from within an InfoPath browser-compatible form template, it is possible that the code works fine when you run it form the InfoPath client application, but that it generates an error when you (as a SharePoint authenticated user) call it from an InfoPath browser form.
Note: Code that only retrieves data from SharePoint through the SharePoint object model will not generate the security validation error. The problem arises when you want to make changes to data stored in SharePoint.
You might get the following error message when you run code from within an InfoPath browser form that calls directly into the SharePoint object model and tries to do an update:
Warning
There has been an error while processing the form.
Click Continue to resume filling out the form. You may want to check your form data for errors.
Click Start Over to load a new copy of the form.
When you click Show error details, the details of the error message
says:
The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.
Microsoft.SharePoint.SPException: The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again. —> System.Runtime.InteropServices.COMException (0x8102006D): The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.
at Microsoft.SharePoint.Library.SPRequestInternalClass.UpdateField(String bstrUrl, String bstrListName, String bstrXML)
at Microsoft.SharePoint.Library.SPRequest.UpdateField(String bstrUrl, String bstrListName, String bstrXML)
— End of inner exception stack trace —
at Microsoft.SharePoint.Library.SPRequest.UpdateField(String bstrUrl,
String bstrListName, String bstrXML)
at Microsoft.SharePoint.SPField.UpdateCore(Boolean bToggleSealed)
at Microsoft.SharePoint.SPField.Update()
at SPSObjectModel.FormCode.CTRL2_5_Clicked(Object sender, ClickedEventArgs e)
at Microsoft.Office.InfoPath.Server.SolutionLifetime.ButtonEventHost.
<>c__DisplayClass6.<>c__DisplayClassa.b__3()
at Microsoft.Office.InfoPath.Server.Util.DocumentReliability.
InvokeBusinessLogic(Thunk thunk)
at Microsoft.Office.InfoPath.Server.SolutionLifetime.ButtonEventHost.
<>c__DisplayClass6.b__2(Object sender, ClickedEventArgs e)
at Microsoft.Office.InfoPath.Server.SolutionLifetime.ButtonEventHost.
FireClickedEvent(Object sender, ClickedEventArgs args)
at Microsoft.Office.InfoPath.Server.SolutionLifetime.ButtonFormCode.
<>c__DisplayClass2.<>c__DisplayClass5.b__1()
at Microsoft.Office.InfoPath.Server.DocumentLifetime.OMExceptionManager.
CallFormCodeWithExceptionHandling(UserMessages userMessages, OMCall d)An entry has been added to the Windows event log of the server.
Log ID:5337
To be able to call into the SharePoint object model directly from an InfoPath browser
form and perform updates, you must set SPWeb.AllowUnsafeUpdates to true.
The MSDN documentation on SPWeb.AllowUnsafeUpdates says:
The SPWeb.AllowUnsafeUpdates property gets or sets a Boolean value that
specifies whether to allow updates to the database as a result of a GET request without requiring a security validation.
The documentation further states the implication of setting SPWeb.AllowUnsafeUpdates to true:
Setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities.
So ensure you set SPWeb.AllowUnsafeUpdates to false immediately after running the code that calls into the SharePoint object model.
For an example on how you can use the SPWeb.AllowUnsafeUpdates property from an InfoPath browser form, see How to use the SharePoint object model to submit data from an InfoPath browser form to a SharePoint list.
One Response to “"Microsoft.SharePoint.SPException: The security validation for this page is invalid." error in InfoPath browser forms”
Posted Wednesday, 10 December 2008
Thanks for the post it was helpfully…