ASP.NET 2.0 Event Validation

Edit on GitHub

Event Validation is a new feature in ASP.NET 2.0 which provides an additional level of checks on postback actions. It verifies whether a postback from a control on client-side is really from that control and not from a malicious person trying to break your application.

Even if you forget to add security checks of your own, ASP.NET provides this functionality, because this feature is enabled by default. Sometimes, it is safe to turn this of, but Microsoft tries to have developers turn this of when they know what they are doing.

Unfortunately: I came across Event Validation… A user control on a master page convinced ASP.NET that a postback within that same user control was unsafe, resulting in the following error:

"Invalid postback or callback argument.  Event validation is
enabled using <pages enableEventValidation="true"/> in
configuration or <%@ Page EnableEventValidation="true" %>
in a page. For security purposes, this feature verifies that
arguments to postback or callback events originate from
the server control that originally rendered them.
If the data is valid and expected, use the
ClientScriptManager.RegisterForEventValidation method
in order to register the postback or callback data for validation."

There are some options to overcome this… One is to add a EnableEventValidation="false" in your @Page directive, another is to globally disable this in your Web.config (don’t!). The best solution, however, is telling ASP.NET to allow events from your user control’s inner controls, by adding the following snippet of code in the user control:

[code:c#]

protected override void Render(HtmlTextWriter writer)
{
    // Register controls for event validation
    foreach (Control c in this.Controls)
    {
        this.Page.ClientScript.RegisterForEventValidation(
                c.UniqueID.ToString()
        );
    }
    base.Render(writer);
}

[/code]

This is an imported post. It was imported from my old blog using an automated tool and may contain formatting errors and/or broken images.

Leave a Comment

avatar

2 responses

  1. Avatar for kamila
    kamila October 26th, 2008

    this solution didnt work for me. Adding the enableeventvalidation = false worked

  2. Avatar for lyall
    lyall September 16th, 2010

    it does work. but some times a$p.net cant uniquely identify the controls in a user control.

    Just use:
    this.Page.ClientScript.RegisterForEventValidation( <YourControlID> ) ;