A few weeks ago I was updating the master page for a SharePoint 2007 (WSS) site. The client wanted the site updated to reflect the new look and feel that is being applied to another set of sites in the organization.
I created a new theme and master page, which I already wrote about here and here. It worked well, except for a few pages on a subsite. On those pages, I got the following error:
Server Error in '/' Application.
Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.
Parser Error Message: Code blocks are not allowed in this file.
I decided to go comb through my new master page and compare it to the existing master page that was already working. After going through them line by line several times, I had no clue what would be causing the error because they were basically the same!
It turns out, it was a combination of two things. First, on a few of the pages in the site, there was some include code (basically an <% EVAL()%> snippet). This was the code that was triggering my error “Code blocks are not allowed in this file”. However, this code was working fine with the previous master page.
I decided to then try doing a full deployment of the site with the new master page, and it worked fine! Apparently, if the master page is deployed using a Feature, then it is granted permission to allow code blocks, but if you upload pages either using web UI or SharePoint Designer, then the pages won’t be able to use code blocks.
I haven’t been able to pin down the rules or official info about this, but I thought others might find it useful anyway.
I recently read the Inside WSS 3.0 book which explains the reason for this issue. Pages deployed through the UI or SharePoint Designer are considered customized/unghosted/whatever you want to call it. As such they are not allowed to have script blocks outside of web part zones. This is intentional design by Microsoft so that potentially untrusted users aren't able to run malicious code on your server. Pages deployed through features and WSPs are non-customized/ghosted/etc and are allowed to have script blocks anywhere on the page.
-from the comments - Thanks Brian!