Hopefully you are not in the same boat as some organizations, who have applied the SharePoint 2010, 2013, 2016 or 2019 September 2020 Cumulative Update. As has happened in the past (just a few times), we are seeing multiple issues with this update. That is not really a fair statement, as the changes are actually what was intended to be added.

The main problem is found with any SharePoint environments that are integrated with first and third party solutions. Some of these security fixes have tightened the security requirements for this. An example of first party applications are: Microsoft Identity Manager (MIM) portal pages and Dynamics AX, along with other components.

The changes being applied are to do with items such as Safe Control entries, Custom User Controls, Page Parser Paths and any Declarative Statements in Master Pages and Pages (always advise against this anyway).

Stefan Goßner, from Microsoft outlined these changes:

  • Code Behind Classes and Web Parts need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • Custom User Controls (ascx) need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • Custom Server Controls need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • Inline Code Blocks in Pages are blocked. Pages which require that have to be whitelisted explicitly using <PageParserPath…> entries in the web.config
  • Declarative Statements in Pages and Master Pages which invoke server side code (e.g. autoeventwireup, enablesessionstate, serverside event receivers for page actiona) are blocked. Pages are now required to be whitelisted using <PageParserPath…> entries in the web.config

He also outlined some of the side-effects of these updates:

  • The attribute ‘autoeventwireup‘ is not allowed in pages
  • The attribute ‘enablesessionstate‘ is not allowed in pages
  • Code blocks are not allowed in files
  • The event handler are not allowed in pages
  • Errors such as:
    • UnsafeControlException: A Web Part or Web Form Control on this Page cannot be displayed or imported. The type could not be found or it is not registered as safe.
    • The referenced file ‘/_layouts/directory/usercontrol.ascx‘ is not allowed on this page.

To read more about this, check out Stefan’s post here: https://blog.stefan-gossner.com/2020/09/25/trending-issue-after-installing-september-2020-cu-and-pu-custom-pages-and-controls-fail-to-render/

As always, be careful about what updates you apply to your On-premises SharePoint environment. It can have major adverse affects, and requires countless hours of time to fix and get back to working.