ASP.NET 2.0 Event Validation
Edit on GitHubEvent Validation is a new feature in ASP.NET 2.0 which provides an additional level of checks on postback actions. It verifies whether a postback from a control on client-side is really from that control and not from a malicious person trying to break your application.
Even if you forget to add security checks of your own, ASP.NET provides this functionality, because this feature is enabled by default. Sometimes, it is safe to turn this of, but Microsoft tries to have developers turn this of when they know what they are doing.
Unfortunately: I came across Event Validation… A user control on a master page convinced ASP.NET that a postback within that same user control was unsafe, resulting in the following error:
"Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation."
There are some options to overcome this… One is to add a EnableEventValidation="false" in your @Page directive, another is to globally disable this in your Web.config (don’t!). The best solution, however, is telling ASP.NET to allow events from your user control’s inner controls, by adding the following snippet of code in the user control:
[code:c#]
protected override void Render(HtmlTextWriter writer)
{
// Register controls for event validation
foreach (Control c in this.Controls)
{
this.Page.ClientScript.RegisterForEventValidation(
c.UniqueID.ToString()
);
}
base.Render(writer);
}
[/code]
This is an imported post. It was imported from my old blog using an automated tool and may contain formatting errors and/or broken images.
2 responses