ValidateRequest bug?

[Max Metral]

Ok, I have a global page class derived from System.Web.UI.Page, let's call
it BasePage. I have another class derived from that called MemberPage. It
checks the Form collection if it's a post for some "common" fields.

Now, I have an aspx page whose code behind derives from BasePage, and which
sets ValidateRequest=False in the page directive of the aspx. I can post
<script> tags and such with no problems.

However, when I make the code-behind derive from MemberPage, it throws an
exception in ValidateRequest for the Form collection *EVEN THOUGH
VALIDATEREQUEST IS FALSE*.

I don't understand how this could possibly be correct behavior?

 

[Nicole Calinoiu]

Max,

This might be annoying, but it's not a bug. The subclassing of BasePage by
MemberPage includes only the code, not the page directive. If you don't
want request validation to be active for any given page, you must specify
this in the page directive for that page.

HTH,
Nicole

 

[Max Metral]

Makes sense, but the hierarchy is as follows:

System.Web.UI.Page->BasePage->MemberPage->MyASPXCodeBehind->MyASPX

ValidateRequest is False in MyASPX, so it should be false right?

And to be clear, with absolutely NO other changes, this works fine:

System.Web.UI.Page->BasePage->MyASPXCodeBehind->MyASPX

Furthermore, all but the MyASPX are cs classes, and I don't even see a way
to specify the ValidateRequest directive for cs files, so I don't see how
MemberPage could be doing it.

 

[Steven Cheng[MSFT]]

Hi Max,

From your description, when you make your aspx page's codebehind page
class dervied from a two level
custom base page class(indirectly derived from System.Web.UI.Page), the
validateRequest attribute you set in the aspx 's @page diretive not work,
yes?

Based on the page hierarchy you described as below:
==================================
System.Web.UI.Page->BasePage->MemberPage->MyASPXCodeBehind->MyASPX

System.Web.UI.Page->BasePage->MyASPXCodeBehind->MyASPX
====================================

I've also done a simple test on my side , it seems that I can't reproduce
the problem. I uses two very simple page( just derived without add any
custom code), here are the page classes I used to test:

==========================
public class MyBasePage : System.Web.UI.Page
{
public MyBasePage()
{
//
// TODO: Add constructor logic here
//
}
}

public class MyDerivedPage : MyBasePage
{
public MyDerivedPage()
{

}
}
}
=============================

And when I make a aspx page's code behind class derived from either of the
MyBasePage or MyDerivedPage, the validateRequest set in the aspx's @Page
will work. So would you please also have a try so that we can found the
actual cause? Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Nicole Calinoiu]

Makes sense, but the hierarchy is as follows:

System.Web.UI.Page->BasePage->MemberPage->MyASPXCodeBehind->MyASPX

ValidateRequest is False in MyASPX, so it should be false right?
Right.


And to be clear, with absolutely NO other changes, this works fine:

System.Web.UI.Page->BasePage->MyASPXCodeBehind->MyASPX

Furthermore, all but the MyASPX are cs classes, and I don't even see a way
to specify the ValidateRequest directive for cs files, so I don't see how
MemberPage could be doing it.

Like Steven, I can't reproduce the problem. My best guess would be that the
ValidateInput method of the request object is being called either within
MemberPage or in other code (e.g.: code behind the final page, http module,
etc.) that screens for whether the requested resource derives from
MemberPage before running the validation.

 

[Max Metral]

The one difference in your tests is that you need to call something like:

if (Request.Form["foo"] = "bar")
Trace.Write("Yo");

in the page_load or onload of MemberPage. It's during that call that it
seems to call Validate.

 

[Nicole Calinoiu]

Still doesn't reproduce here. Are you perhaps using a trace listener that
might be calling ValidateRequest on the request?

The one difference in your tests is that you need to call something like:

if (Request.Form["foo"] = "bar")
Trace.Write("Yo");

in the page_load or onload of MemberPage. It's during that call that it
seems to call Validate.

Like Steven, I can't reproduce the problem. My best guess would be that
the ValidateInput method of the request object is being called either
within MemberPage or in other code (e.g.: code behind the final page,
http module, etc.) that screens for whether the requested resource
derives from MemberPage before running the validation.

 

[Max Metral]

I was tracing to the page, is this not allowed?

Still doesn't reproduce here. Are you perhaps using a trace listener that
might be calling ValidateRequest on the request?

The one difference in your tests is that you need to call something like:

if (Request.Form["foo"] = "bar")
Trace.Write("Yo");

in the page_load or onload of MemberPage. It's during that call that it
seems to call Validate.

Makes sense, but the hierarchy is as follows:

System.Web.UI.Page->BasePage->MemberPage->MyASPXCodeBehind->MyASPX

ValidateRequest is False in MyASPX, so it should be false right?

Right.


And to be clear, with absolutely NO other changes, this works fine:

System.Web.UI.Page->BasePage->MyASPXCodeBehind->MyASPX

Furthermore, all but the MyASPX are cs classes, and I don't even see a
way to specify the ValidateRequest directive for cs files, so I don't
see how MemberPage could be doing it.

Like Steven, I can't reproduce the problem. My best guess would be that
the ValidateInput method of the request object is being called either
within MemberPage or in other code (e.g.: code behind the final page,
http module, etc.) that screens for whether the requested resource
derives from MemberPage before running the validation.





Max,

This might be annoying, but it's not a bug. The subclassing of
BasePage by MemberPage includes only the code, not the page directive.
If you don't want request validation to be active for any given page,
you must specify this in the page directive for that page.

HTH,
Nicole



Ok, I have a global page class derived from System.Web.UI.Page, let's
call it BasePage. I have another class derived from that called
MemberPage. It checks the Form collection if it's a post for some
"common" fields.

Now, I have an aspx page whose code behind derives from BasePage, and
which sets ValidateRequest=False in the page directive of the aspx.
I can post <script> tags and such with no problems.

However, when I make the code-behind derive from MemberPage, it
throws an exception in ValidateRequest for the Form collection *EVEN
THOUGH VALIDATEREQUEST IS FALSE*.

I don't understand how this could possibly be correct behavior?

 

[Steven Cheng[MSFT]]

Hi Max,

Thanks for the followup. What's has been done in your page tracer? As far
as what we can find now, this is the only possible cause. you can try
removing the tracing to see whether it works.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx