ClientScriptManager.RegisterForEventValidation

[stewart]

Hi.

I have an asp:dropdown control to which I add items on the client, when the
page is posted back I get this error message.
Invalid postback or callback argument. Event validation is enabled
using <pages enableEventValidation="true"/> in configuration or <%@
Page EnableEventValidation="true" %> in a page. For security purposes,
this feature verifies that arguments to postback or callback events
originate from the server control that originally rendered them. If
the data is valid and expected, use the
ClientScriptManager.RegisterForEventValidation method in order to
register the postback or callback data for validation


A quick trawl on google hasn't turned up much except that I could set
enableEventValidation=false, this does work, but I'm reluctant as I'm unsure
what security/checking this feature provides.
I can't find any examples(working) of how I could use
ClientScriptManager.RegisterForEventValidation instead of turning off event
validation to solve my problem.

Help please.....

 

[Bruce Barker]

event validation checks the event and value are legal for the current
postback.

background: asp 1.1 web sites had a common user coded security bug. many
asp.net coders would control access to their site by disabling, making
invisible, or changing the value of control that performed functions the
user was not allowed. the onclick events would not recheck permissions, so a
hacker could easily perform these functions by postiing a response that
faked the button/value press (trival to do).

so, in asp 2.0, the default is to only allow events for controls that were
enabled, visible at page render, and that the value (in the case of a
button and dropdowns,etc ) matched the renderd values.

in your case, .net is detecting that the value posted back was not on the
list that it rendered, thus its detecting a a client hack. as you site is
expecting this behavior, you need to turn off the default checking,
ClientScriptManager.RegisterForEventValidation can be used for this, rather
than turning it off for the whole page/site.

-- bruce (sqlwork.com)

 

[stewart]

Great Bruce, thanks for clarifying that for me.

--
Stewart Bellamy
Ingenuity@work

event validation checks the event and value are legal for the current
postback.

background: asp 1.1 web sites had a common user coded security bug. many
asp.net coders would control access to their site by disabling, making
invisible, or changing the value of control that performed functions the
user was not allowed. the onclick events would not recheck permissions, so
a hacker could easily perform these functions by postiing a response that
faked the button/value press (trival to do).

so, in asp 2.0, the default is to only allow events for controls that were
enabled, visible at page render, and that the value (in the case of a
button and dropdowns,etc ) matched the renderd values.

in your case, .net is detecting that the value posted back was not on the
list that it rendered, thus its detecting a a client hack. as you site is
expecting this behavior, you need to turn off the default checking,
ClientScriptManager.RegisterForEventValidation can be used for this,
rather than turning it off for the whole page/site.

-- bruce (sqlwork.com)