ClientScriptManager.RegisterForEventValidation

Discussion in 'ASP .Net' started by stewart, Dec 6, 2005.

  1. stewart

    stewart Guest

    Hi.

    I have an asp:dropdown control to which I add items on the client, when the
    page is posted back I get this error message.
    Invalid postback or callback argument. Event validation is enabled
    using <pages enableEventValidation="true"/> in configuration or <%@
    Page EnableEventValidation="true" %> in a page. For security purposes,
    this feature verifies that arguments to postback or callback events
    originate from the server control that originally rendered them. If
    the data is valid and expected, use the
    ClientScriptManager.RegisterForEventValidation method in order to
    register the postback or callback data for validation


    A quick trawl on google hasn't turned up much except that I could set
    enableEventValidation=false, this does work, but I'm reluctant as I'm unsure
    what security/checking this feature provides.
    I can't find any examples(working) of how I could use
    ClientScriptManager.RegisterForEventValidation instead of turning off event
    validation to solve my problem.

    Help please.....

    --
    Stewart Bellamy
    Ingenuity@work
     
    stewart, Dec 6, 2005
    #1
    1. Advertising

  2. stewart

    Bruce Barker Guest

    event validation checks the event and value are legal for the current
    postback.

    background: asp 1.1 web sites had a common user coded security bug. many
    asp.net coders would control access to their site by disabling, making
    invisible, or changing the value of control that performed functions the
    user was not allowed. the onclick events would not recheck permissions, so a
    hacker could easily perform these functions by postiing a response that
    faked the button/value press (trival to do).

    so, in asp 2.0, the default is to only allow events for controls that were
    enabled, visible at page render, and that the value (in the case of a
    button and dropdowns,etc ) matched the renderd values.

    in your case, .net is detecting that the value posted back was not on the
    list that it rendered, thus its detecting a a client hack. as you site is
    expecting this behavior, you need to turn off the default checking,
    ClientScriptManager.RegisterForEventValidation can be used for this, rather
    than turning it off for the whole page/site.

    -- bruce (sqlwork.com)



    "stewart" <> wrote in message
    news:%23%23N9k9k%...
    > Hi.
    >
    > I have an asp:dropdown control to which I add items on the client, when
    > the page is posted back I get this error message.
    > Invalid postback or callback argument. Event validation is enabled
    > using <pages enableEventValidation="true"/> in configuration or <%@
    > Page EnableEventValidation="true" %> in a page. For security purposes,
    > this feature verifies that arguments to postback or callback events
    > originate from the server control that originally rendered them. If
    > the data is valid and expected, use the
    > ClientScriptManager.RegisterForEventValidation method in order to
    > register the postback or callback data for validation
    >
    >
    > A quick trawl on google hasn't turned up much except that I could set
    > enableEventValidation=false, this does work, but I'm reluctant as I'm
    > unsure what security/checking this feature provides.
    > I can't find any examples(working) of how I could use
    > ClientScriptManager.RegisterForEventValidation instead of turning off
    > event validation to solve my problem.
    >
    > Help please.....
    >
    > --
    > Stewart Bellamy
    > Ingenuity@work
    >
     
    Bruce Barker, Dec 6, 2005
    #2
    1. Advertising

  3. stewart

    stewart Guest

    Great Bruce, thanks for clarifying that for me.

    --
    Stewart Bellamy
    Ingenuity@work
    "Bruce Barker" <> wrote in message
    news:uNkkCDp%...
    > event validation checks the event and value are legal for the current
    > postback.
    >
    > background: asp 1.1 web sites had a common user coded security bug. many
    > asp.net coders would control access to their site by disabling, making
    > invisible, or changing the value of control that performed functions the
    > user was not allowed. the onclick events would not recheck permissions, so
    > a hacker could easily perform these functions by postiing a response that
    > faked the button/value press (trival to do).
    >
    > so, in asp 2.0, the default is to only allow events for controls that were
    > enabled, visible at page render, and that the value (in the case of a
    > button and dropdowns,etc ) matched the renderd values.
    >
    > in your case, .net is detecting that the value posted back was not on the
    > list that it rendered, thus its detecting a a client hack. as you site is
    > expecting this behavior, you need to turn off the default checking,
    > ClientScriptManager.RegisterForEventValidation can be used for this,
    > rather than turning it off for the whole page/site.
    >
    > -- bruce (sqlwork.com)
    >
    >
    >
    > "stewart" <> wrote in message
    > news:%23%23N9k9k%...
    >> Hi.
    >>
    >> I have an asp:dropdown control to which I add items on the client, when
    >> the page is posted back I get this error message.
    >> Invalid postback or callback argument. Event validation is enabled
    >> using <pages enableEventValidation="true"/> in configuration or <%@
    >> Page EnableEventValidation="true" %> in a page. For security purposes,
    >> this feature verifies that arguments to postback or callback events
    >> originate from the server control that originally rendered them. If
    >> the data is valid and expected, use the
    >> ClientScriptManager.RegisterForEventValidation method in order to
    >> register the postback or callback data for validation
    >>
    >>
    >> A quick trawl on google hasn't turned up much except that I could set
    >> enableEventValidation=false, this does work, but I'm reluctant as I'm
    >> unsure what security/checking this feature provides.
    >> I can't find any examples(working) of how I could use
    >> ClientScriptManager.RegisterForEventValidation instead of turning off
    >> event validation to solve my problem.
    >>
    >> Help please.....
    >>
    >> --
    >> Stewart Bellamy
    >> Ingenuity@work
    >>

    >
    >
     
    stewart, Dec 7, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QW5kcsOp?=

    ClientScriptManager.RegisterForEventValidation

    =?Utf-8?B?QW5kcsOp?=, Nov 10, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    1,913
  2. n33470
    Replies:
    9
    Views:
    151,658
    AbercrombieLV
    May 30, 2010
  3. Varangian
    Replies:
    7
    Views:
    2,866
    Varangian
    Jul 10, 2006
  4. Zac
    Replies:
    4
    Views:
    1,881
  5. DNB
    Replies:
    2
    Views:
    1,824
    Michael Nemtsev
    Dec 13, 2007
Loading...

Share This Page