Have you ever modified a Web Part Page? If you answered yes, then today’s topic might be of interest. :)
Each .aspx page is rendered by one of two possible parsers. When a request is received for an .aspx page, the SharePoint isapi filter determines who will handle the rendering of the page – Asp.net or the SharePoint SafeMode parser. The first parser, Asp.net, requires the least amount of introduction. The second parser is unique to Windows SharePoint Services.
The intent of this discussion is to cover the differences between the two parsers. To be very clear, this discussion applies to pages which come from the main application root of a SharePoint virtual server. Pages which originate from either the “_layouts” or “_vti_bin” virtual directories can be excluded from the discussion.
As everyone knows, all pages within SharePoint are stored in the database. This effectively means that for each document, you will find a row in the docs table for that document. The actual file is stored in the Content column. This is true for all files. However, there is one exception - some .aspx pages don’t actually have their content stored in the database. Instead, these pages reference files which exist on the server’s file system. These pages are considered ghosted pages.
From a technical standpoint, ghosted pages are those rows in the docs table which have null values for the Content column and a non-null value for the SetupPath column which points to a file on the file system itself. The referenced file essentially serves as a template and content source.
What pages are ghosted? For example, the default home page is a ghosted page. Any web part pages created the via New Web Part Page user interface also ghosted.
Note: Since SP 2007, the official terminology has been adjusted. Ghosted pages are now called "Uncustomized" pages and, correspondingly, unghosted pages are now called "Customized" pages.
As you can see, I’ve described ghosted pages as the exception to the rule. What does it mean if a document doesn’t reference a template on the file system? Or, more to the point, the Content column actually contains data? These pages are known as unghosted .aspx pages and they are routed through the SafeMode parser.
What does is the main difference between the SafeMode parser and Asp.net? Code compilation.
As everyone knows, Asp.net will parse a page on first render and compile it into an assembly. The SafeMode parser does NOT compile pages. It is designed to interpretatively parse a page and create the object structure of the page. In the event inline server-side code is detected, the SafeMode parser will not allow the page to render. Additionally, the only objects within the page (i.e. controls marked as runat=server) which can be instantiated are those items found in the SafeControls list.
Can a page transition from a ghosted state to unghosted? Yes.
Ghosted pages become unghosted once a file has been modified. If a page is updated using FrontPage 2003, web folders, or the modification of custom document library fields, the Content column of the given document row is populated with the page contents. All uploaded .aspx files are automatically unghosted.
Are there other differences between SafeMode and Asp.net? Yes.
Although the SafeMode parser was designed to be serve as replacement for the Asp.net parser, it does not offer identical functionality. The key differences between the two parsers are listed below:
- SafeMode does not offer AspCompat functionality.
- SafeMode does not compile; therefore, all compilation directives are ignored.
- Session State exists; however, in SafeMode once you turn it on, all unghosted pages are forced to participate in Session State. Unghosted pages do NOT have the option to opt out of using Session State.
(Update 9/22/2004: Read more about about the implications of turning on SessionState).
Why are there two types of rendering engines? Security and scalability.
The SafeMode parser ensures unghosted pages are not allowed to run code. This security feature prevents a user from injecting code into page which may maliciously, or unintentionally, bring down a server, snoop data, etc. Consider the permission levels associated with updating a page vs. the number of users within a WSS server – if you’re the admin, you would probably be extremely wary of giving anyone the “Add and Customize Pages” right knowing that they would be able to freely execute server-side code if the SafeMode parser didn’t exist. With our current behavior, once a page is transitioned from a ghosted to unghosted state, the admin knows that page cannot influence the behavior of the server.
Additionally, without the SafeMode parser, all pages would have to be routed through Asp.net which would mean all pages would be compiled and their associated assembly loaded into memory. Imagine a site with thousands of operational pages... the memory requirement would be huge. The current design limits page compilation to a very small number of pages relative to the actual number of pages within a WSS-extended virtual server.
I'll post the second part of this discussion in a short while...