Callback ClientScriptManager.RegisterForEventValidation

V

Varangian

Hi all,

I have a question, what does the function
ClientScriptManager.RegisterForEventValidation really does? Does it
means securing your client side code? more security?

The question is how to implement this function, a step by step example
would be appreciated much

I don't want to disable the EnableEventValidation property at Page
level, security is an issue

Thanks!
 
T

Teemu Keiski

Hi,

basically it is to tell which client-side event arguments your control is
expecting and which should be allowed. E.g it is basically validating if
event is valid. From docs:

"
Balance the security benefit of event validation with its performance cost
Controls that derive from the System.Web.UI.WebControls and
System.Web.UI.HtmlControls classes can validate that an event originated
from the user interface that was rendered by the control. This helps prevent
the control from responding to spoofed event notification. For example, the
DetailsView control can prevent processing of a Delete call (which is not
inherently supported in the control) and being manipulated into deleting
data. This validation has some performance cost. You can control this
behavior using the EnableEventValidation configuration element and the
RegisterForEventValidation method. The cost of validation depends on the
number of controls on the page, and is in the range of a few percent.

Security Note
It is strongly recommended that you do not disable event validation.
Before disabling event validation, you should be sure that no postback could
be constructed that would have an unintended effect on your application.




"

And here is one sample:
http://msdn2.microsoft.com/en-us/library/ms223395.aspx
 
V

Varangian

Thank you very much for you reply

is it the only function needed to secure page spoofing ? no other
functions needed?

however about that example.. how to use it when you have rendering
controls dynamically.. for example in the same page I may have
different controls

Teemu said:
Hi,

basically it is to tell which client-side event arguments your control is
expecting and which should be allowed. E.g it is basically validating if
event is valid. From docs:

"
Balance the security benefit of event validation with its performance cost
Controls that derive from the System.Web.UI.WebControls and
System.Web.UI.HtmlControls classes can validate that an event originated
from the user interface that was rendered by the control. This helps prevent
the control from responding to spoofed event notification. For example, the
DetailsView control can prevent processing of a Delete call (which is not
inherently supported in the control) and being manipulated into deleting
data. This validation has some performance cost. You can control this
behavior using the EnableEventValidation configuration element and the
RegisterForEventValidation method. The cost of validation depends on the
number of controls on the page, and is in the range of a few percent.

Security Note
It is strongly recommended that you do not disable event validation.
Before disabling event validation, you should be sure that no postback could
be constructed that would have an unintended effect on your application.




"

And here is one sample:
http://msdn2.microsoft.com/en-us/library/ms223395.aspx


--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Varangian said:
Hi all,

I have a question, what does the function
ClientScriptManager.RegisterForEventValidation really does? Does it
means securing your client side code? more security?

The question is how to implement this function, a step by step example
would be appreciated much

I don't want to disable the EnableEventValidation property at Page
level, security is an issue

Thanks!


begin 666 security.gif
M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
#```[
`
end
 
T

Teemu Keiski

Usually it is implemented in the control itself, as part of controls own
rendering process, as control knows what event arguments it expects. Doing
on the page is pretty much when control's implementation is missing
something.

--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Varangian said:
Thank you very much for you reply

is it the only function needed to secure page spoofing ? no other
functions needed?

however about that example.. how to use it when you have rendering
controls dynamically.. for example in the same page I may have
different controls

Teemu said:
Hi,

basically it is to tell which client-side event arguments your control is
expecting and which should be allowed. E.g it is basically validating if
event is valid. From docs:

"
Balance the security benefit of event validation with its performance
cost
Controls that derive from the System.Web.UI.WebControls and
System.Web.UI.HtmlControls classes can validate that an event originated
from the user interface that was rendered by the control. This helps
prevent
the control from responding to spoofed event notification. For example,
the
DetailsView control can prevent processing of a Delete call (which is not
inherently supported in the control) and being manipulated into deleting
data. This validation has some performance cost. You can control this
behavior using the EnableEventValidation configuration element and the
RegisterForEventValidation method. The cost of validation depends on the
number of controls on the page, and is in the range of a few percent.

Security Note
It is strongly recommended that you do not disable event
validation.
Before disabling event validation, you should be sure that no postback
could
be constructed that would have an unintended effect on your application.




"

And here is one sample:
http://msdn2.microsoft.com/en-us/library/ms223395.aspx


--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Varangian said:
Hi all,

I have a question, what does the function
ClientScriptManager.RegisterForEventValidation really does? Does it
means securing your client side code? more security?

The question is how to implement this function, a step by step example
would be appreciated much

I don't want to disable the EnableEventValidation property at Page
level, security is an issue

Thanks!


begin 666 security.gif
M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
#```[
`
end
 
V

Varangian

what do you mean exactly?

how to implement it for a page with multiple controls and multiple
arguments?


Teemu said:
Usually it is implemented in the control itself, as part of controls own
rendering process, as control knows what event arguments it expects. Doing
on the page is pretty much when control's implementation is missing
something.

--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Varangian said:
Thank you very much for you reply

is it the only function needed to secure page spoofing ? no other
functions needed?

however about that example.. how to use it when you have rendering
controls dynamically.. for example in the same page I may have
different controls

Teemu said:
Hi,

basically it is to tell which client-side event arguments your control is
expecting and which should be allowed. E.g it is basically validating if
event is valid. From docs:

"
Balance the security benefit of event validation with its performance
cost
Controls that derive from the System.Web.UI.WebControls and
System.Web.UI.HtmlControls classes can validate that an event originated
from the user interface that was rendered by the control. This helps
prevent
the control from responding to spoofed event notification. For example,
the
DetailsView control can prevent processing of a Delete call (which is not
inherently supported in the control) and being manipulated into deleting
data. This validation has some performance cost. You can control this
behavior using the EnableEventValidation configuration element and the
RegisterForEventValidation method. The cost of validation depends on the
number of controls on the page, and is in the range of a few percent.

Security Note
It is strongly recommended that you do not disable event
validation.
Before disabling event validation, you should be sure that no postback
could
be constructed that would have an unintended effect on your application.




"

And here is one sample:
http://msdn2.microsoft.com/en-us/library/ms223395.aspx


--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Hi all,

I have a question, what does the function
ClientScriptManager.RegisterForEventValidation really does? Does it
means securing your client side code? more security?

The question is how to implement this function, a step by step example
would be appreciated much

I don't want to disable the EnableEventValidation property at Page
level, security is an issue

Thanks!



begin 666 security.gif
M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
#```[
`
end
 
R

Russell

Event validation ties in with the ASPNET postback model where an event
"target" (a control client ID) and event "argument" (a value) are
returned through the postback call. Event validation lets you specify
valid event arguments. Event validation does not prevent strange
values from being entered in other controls on the form besides the
target control. So event validation will not, for instance, screen the
contents of all the text fields on a form. If you were concerned about
SQL injection, for instance, you would still want to use parameters in
your queries rather than concatenating field values directly into query
strings.
what do you mean exactly?

how to implement it for a page with multiple controls and multiple
arguments?


Teemu said:
Usually it is implemented in the control itself, as part of controls own
rendering process, as control knows what event arguments it expects. Doing
on the page is pretty much when control's implementation is missing
something.

--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Varangian said:
Thank you very much for you reply

is it the only function needed to secure page spoofing ? no other
functions needed?

however about that example.. how to use it when you have rendering
controls dynamically.. for example in the same page I may have
different controls

Teemu Keiski wrote:
Hi,

basically it is to tell which client-side event arguments your control is
expecting and which should be allowed. E.g it is basically validating if
event is valid. From docs:

"
Balance the security benefit of event validation with its performance
cost
Controls that derive from the System.Web.UI.WebControls and
System.Web.UI.HtmlControls classes can validate that an event originated
from the user interface that was rendered by the control. This helps
prevent
the control from responding to spoofed event notification. For example,
the
DetailsView control can prevent processing of a Delete call (which is not
inherently supported in the control) and being manipulated into deleting
data. This validation has some performance cost. You can control this
behavior using the EnableEventValidation configuration element and the
RegisterForEventValidation method. The cost of validation depends on the
number of controls on the page, and is in the range of a few percent.

Security Note
It is strongly recommended that you do not disable event
validation.
Before disabling event validation, you should be sure that no postback
could
be constructed that would have an unintended effect on your application.




"

And here is one sample:
http://msdn2.microsoft.com/en-us/library/ms223395.aspx


--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Hi all,

I have a question, what does the function
ClientScriptManager.RegisterForEventValidation really does? Does it
means securing your client side code? more security?

The question is how to implement this function, a step by step example
would be appreciated much

I don't want to disable the EnableEventValidation property at Page
level, security is an issue

Thanks!



begin 666 security.gif
M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
#```[
`
end
 
V

Varangian

Basically what I have is dropdownlists being filled with details upon
clicking of an ImageButton. These ImageButtons are being rendered
dynamically on Page_Load not at Design mode while the Dropdownlists are
being created at Design mode. I also have a textbox accepting input
from the user. All these are made with Callbacks events

Then I have a Button that I want it to do a normal PostBack, however
when I click this non-callback Button an error pops regarding
EventValidation has to be set to false or something like that. Now I
don't want to remove it, since security is an Issue and I don't want to
risk my page being spoofed since I have a big chunk of Javascript.
RegisterForEventValidation seems to be the solution but I don't how to
use it exactly.

I followed the microsoft example, it works, but when it comes to
controls at Run-time I don't know how to do it!
Please any help would be appreciated most!
Thank you!
Event validation ties in with the ASPNET postback model where an event
"target" (a control client ID) and event "argument" (a value) are
returned through the postback call. Event validation lets you specify
valid event arguments. Event validation does not prevent strange
values from being entered in other controls on the form besides the
target control. So event validation will not, for instance, screen the
contents of all the text fields on a form. If you were concerned about
SQL injection, for instance, you would still want to use parameters in
your queries rather than concatenating field values directly into query
strings.
what do you mean exactly?

how to implement it for a page with multiple controls and multiple
arguments?


Teemu said:
Usually it is implemented in the control itself, as part of controls own
rendering process, as control knows what event arguments it expects. Doing
on the page is pretty much when control's implementation is missing
something.

--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Thank you very much for you reply

is it the only function needed to secure page spoofing ? no other
functions needed?

however about that example.. how to use it when you have rendering
controls dynamically.. for example in the same page I may have
different controls

Teemu Keiski wrote:
Hi,

basically it is to tell which client-side event arguments your control is
expecting and which should be allowed. E.g it is basically validating if
event is valid. From docs:

"
Balance the security benefit of event validation with its performance
cost
Controls that derive from the System.Web.UI.WebControls and
System.Web.UI.HtmlControls classes can validate that an event originated
from the user interface that was rendered by the control. This helps
prevent
the control from responding to spoofed event notification. For example,
the
DetailsView control can prevent processing of a Delete call (which is not
inherently supported in the control) and being manipulated into deleting
data. This validation has some performance cost. You can control this
behavior using the EnableEventValidation configuration element and the
RegisterForEventValidation method. The cost of validation depends on the
number of controls on the page, and is in the range of a few percent.

Security Note
It is strongly recommended that you do not disable event
validation.
Before disabling event validation, you should be sure that no postback
could
be constructed that would have an unintended effect on your application.




"

And here is one sample:
http://msdn2.microsoft.com/en-us/library/ms223395.aspx


--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Hi all,

I have a question, what does the function
ClientScriptManager.RegisterForEventValidation really does? Does it
means securing your client side code? more security?

The question is how to implement this function, a step by step example
would be appreciated much

I don't want to disable the EnableEventValidation property at Page
level, security is an issue

Thanks!



begin 666 security.gif
M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
#```[
`
end
 
V

Varangian

hello, any help please, no-one came in front of such thing?

thank you!
Basically what I have is dropdownlists being filled with details upon
clicking of an ImageButton. These ImageButtons are being rendered
dynamically on Page_Load not at Design mode while the Dropdownlists are
being created at Design mode. I also have a textbox accepting input
from the user. All these are made with Callbacks events

Then I have a Button that I want it to do a normal PostBack, however
when I click this non-callback Button an error pops regarding
EventValidation has to be set to false or something like that. Now I
don't want to remove it, since security is an Issue and I don't want to
risk my page being spoofed since I have a big chunk of Javascript.
RegisterForEventValidation seems to be the solution but I don't how to
use it exactly.

I followed the microsoft example, it works, but when it comes to
controls at Run-time I don't know how to do it!
Please any help would be appreciated most!
Thank you!
Event validation ties in with the ASPNET postback model where an event
"target" (a control client ID) and event "argument" (a value) are
returned through the postback call. Event validation lets you specify
valid event arguments. Event validation does not prevent strange
values from being entered in other controls on the form besides the
target control. So event validation will not, for instance, screen the
contents of all the text fields on a form. If you were concerned about
SQL injection, for instance, you would still want to use parameters in
your queries rather than concatenating field values directly into query
strings.
what do you mean exactly?

how to implement it for a page with multiple controls and multiple
arguments?


Teemu Keiski wrote:
Usually it is implemented in the control itself, as part of controls own
rendering process, as control knows what event arguments it expects. Doing
on the page is pretty much when control's implementation is missing
something.

--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Thank you very much for you reply

is it the only function needed to secure page spoofing ? no other
functions needed?

however about that example.. how to use it when you have rendering
controls dynamically.. for example in the same page I may have
different controls

Teemu Keiski wrote:
Hi,

basically it is to tell which client-side event arguments your control is
expecting and which should be allowed. E.g it is basically validating if
event is valid. From docs:

"
Balance the security benefit of event validation with its performance
cost
Controls that derive from the System.Web.UI.WebControls and
System.Web.UI.HtmlControls classes can validate that an event originated
from the user interface that was rendered by the control. This helps
prevent
the control from responding to spoofed event notification. For example,
the
DetailsView control can prevent processing of a Delete call (which is not
inherently supported in the control) and being manipulated into deleting
data. This validation has some performance cost. You can control this
behavior using the EnableEventValidation configuration element and the
RegisterForEventValidation method. The cost of validation depends on the
number of controls on the page, and is in the range of a few percent.

Security Note
It is strongly recommended that you do not disable event
validation.
Before disabling event validation, you should be sure that no postback
could
be constructed that would have an unintended effect on your application.




"

And here is one sample:
http://msdn2.microsoft.com/en-us/library/ms223395.aspx


--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU
http://blogs.aspadvice.com/joteke

Hi all,

I have a question, what does the function
ClientScriptManager.RegisterForEventValidation really does? Does it
means securing your client side code? more security?

The question is how to implement this function, a step by step example
would be appreciated much

I don't want to disable the EnableEventValidation property at Page
level, security is an issue

Thanks!



begin 666 security.gif
M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
#```[
`
end
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top