Using AllowUnsafeUpdates can be done in 2 ways
1. Get request :
2. Post request
Get request
It opens the gateway for the cross-site scripting, if we cannot switch to POST request then in that case we can go ahead with allowunsafeupdates, but make sure the property is set to false. Even though the property automatically sets to false after the use, but in case of exception we might end up in a situateion the property is true.
Eg. on how to use allowunsafeupdates
using (SPSite spsite = new SPSite(SPContext.Current.Site))
{
using (SPWeb spWeb = spsite.OpenWeb())
{
try
{
SPFolder spfolder = spWeb.Folders[spWeb.Url + "/LibName/"];
byte[] content = System.Text.Encoding.UTF8.GetBytes(strcontent);
string filenname = "Upload" + DateTime.Now.ToString() + ".html";
spWeb.AllowUnsafeUpdates = true;
SPFile spfile = spfolder.Files.Add(filenname, content, true);
}
catch(Exception exp)
{ throw new exception(exp.message()) }
finally
{ spWeb.AllowUnsafeUpdates = false; }
}
}
Post request
In case of POST request we should go with SPUtility.ValidateFormDigest(), but this uses the digest value which can expire and will give the security validation exception.
Eg. on how to use allowunsafeupdates
using (SPSite spsite = new SPSite(SPContext.Current.Site))
{
using (SPWeb spWeb = spsite.OpenWeb())
{
try
{
SPFolder spfolder = spWeb.Folders[spWeb.Url + "/LibName/"];
byte[] content = System.Text.Encoding.UTF8.GetBytes(strcontent);
string filenname = "Upload" + DateTime.Now.ToString() + ".html";
SPUtility.ValidateFormDigest();
SPFile spfile = spfolder.Files.Add(filenname, content, true);
}
catch(Exception exp)
{ throw new exception(exp.message()) }
}
Reference : http://hristopavlov.wordpress.com/2008/05/16/what-you-need-to-know-about-allowunsafeupdates/