Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > asp .net > answers

EnableEventValidation exception when dynamically adding controls on client with JavaScript

Lewis Holmes
Guest
  
Posts: n/a
#1: Jun 27 '08
Hi

I have the following situation in one of my asp.net pages.

The user can add multiple table rows to a form by selecting a button. These
rows can contain asp.net controls. When this button is selected, the row is
added using JavaScript. The script uses cloneNode to clone a hidden template
row and all of its children and then adds the new row to the table, updates
all of the child control Ids and sets visibility etc.
The hidden template row which is cloned to create the new rows is created in
server-side code and then hidden on the client using javascript so that the
user never realises it is there.

This is works correctly if I turn EnableEventValidation off on the page, but
with it on I get the exception "Invalid postback or callback argument."

I understand why this exception occurs (because I am creating new controls
on the client which are posting values back to the server), however is there
any way I can stop this exception from happening without turning
EnableEventValidation off?

I must stress, the controls are being created using JavaScript and so from
what I understand I cannot register them for event validation server-side
using something like:

protected override void Render(System.Web.UI.HtmlTextWriter
writer)
{
base.Render(writer);

this.Page.ClientScript.RegisterForEventValidation( control.ID);
}

If there is no other way to stop this exception from happening, what can I
do to minimise injection attacks that may occur with
EnableEventValidation="false"?

Thanks

Lewis

=?Utf-8?B?YnJ1Y2UgYmFya2Vy?=
Guest
  
Posts: n/a
#2: Jun 27 '08

re: EnableEventValidation exception when dynamically adding controls on client with JavaScript

event validation is to prevent hacking. it checks that postbacks are not done
by invisible controls or non-existent controls, for lists, the value is in
the list, etc.

you turn off event validation at the page level , then call
RegisterForEventValidation for all controls on the page, to have their events
and postback values validated.


-- bruce (sqlwork.com)


"Lewis Holmes" wrote:
Quote:
Hi
>
I have the following situation in one of my asp.net pages.
>
The user can add multiple table rows to a form by selecting a button. These
rows can contain asp.net controls. When this button is selected, the row is
added using JavaScript. The script uses cloneNode to clone a hidden template
row and all of its children and then adds the new row to the table, updates
all of the child control Ids and sets visibility etc.
The hidden template row which is cloned to create the new rows is created in
server-side code and then hidden on the client using javascript so that the
user never realises it is there.
>
This is works correctly if I turn EnableEventValidation off on the page, but
with it on I get the exception "Invalid postback or callback argument."
>
I understand why this exception occurs (because I am creating new controls
on the client which are posting values back to the server), however is there
any way I can stop this exception from happening without turning
EnableEventValidation off?
>
I must stress, the controls are being created using JavaScript and so from
what I understand I cannot register them for event validation server-side
using something like:
>
protected override void Render(System.Web.UI.HtmlTextWriter
writer)
{
base.Render(writer);
>
this.Page.ClientScript.RegisterForEventValidation( control.ID);
}
>
If there is no other way to stop this exception from happening, what can I
do to minimise injection attacks that may occur with
EnableEventValidation="false"?
>
Thanks
>
Lewis
>
>
Steven Cheng [MSFT]
Guest
  
Posts: n/a
#3: Jun 27 '08

re: EnableEventValidation exception when dynamically adding controls on client with JavaScript

Hi Lewis,

As for the exception you mentioned, it does be caused by the Event
Validation since you have some javascript generated html field which will
post data to server-side. So far the "EventValidation" can only be
configured at page level. Though it may involve some risk, but it is
necessary if we need to include dynamically generated html fields on page.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
Quote:
>From: "Lewis Holmes" <enate@nospam.nospam>
>Subject: EnableEventValidation exception when dynamically adding controls
on client with JavaScript
Quote:
>Date: Wed, 30 Apr 2008 13:33:53 +0100
Quote:
>
>Hi
>
>I have the following situation in one of my asp.net pages.
>
>The user can add multiple table rows to a form by selecting a button.
These
Quote:
>rows can contain asp.net controls. When this button is selected, the row
is
Quote:
>added using JavaScript. The script uses cloneNode to clone a hidden
template
Quote:
>row and all of its children and then adds the new row to the table,
updates
Quote:
>all of the child control Ids and sets visibility etc.
>The hidden template row which is cloned to create the new rows is created
in
Quote:
>server-side code and then hidden on the client using javascript so that
the
Quote:
>user never realises it is there.
>
>This is works correctly if I turn EnableEventValidation off on the page,
but
Quote:
>with it on I get the exception "Invalid postback or callback argument."
>
>I understand why this exception occurs (because I am creating new controls
>on the client which are posting values back to the server), however is
there
Quote:
>any way I can stop this exception from happening without turning
>EnableEventValidation off?
>
>I must stress, the controls are being created using JavaScript and so from
>what I understand I cannot register them for event validation server-side
>using something like:
>
>protected override void Render(System.Web.UI.HtmlTextWriter
>writer)
>{
>base.Render(writer);
>
>this.Page.ClientScript.RegisterForEventValidation (control.ID);
>}
>
>If there is no other way to stop this exception from happening, what can I
>do to minimise injection attacks that may occur with
>EnableEventValidation="false"?
>
>Thanks
>
>Lewis
>
>
Lewis Holmes
Guest
  
Posts: n/a
#4: Jun 27 '08

re: EnableEventValidation exception when dynamically adding controls on client with JavaScript

Hi Steven

Thank you for reply. It is good to get confirmation on this issue.

Kind Regards

Lewis

"Steven Cheng [MSFT]" <stcheng@online.microsoft.comwrote in message
news:kAj$ppzqIHA.4284@TK2MSFTNGHUB02.phx.gbl...
Quote:
Hi Lewis,
>
As for the exception you mentioned, it does be caused by the Event
Validation since you have some javascript generated html field which will
post data to server-side. So far the "EventValidation" can only be
configured at page level. Though it may involve some risk, but it is
necessary if we need to include dynamically generated html fields on page.
>
Sincerely,
>
Steven Cheng
>
Microsoft MSDN Online Support Lead
>
>
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.
>
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
>
--------------------
Quote:
>>From: "Lewis Holmes" <enate@nospam.nospam>
>>Subject: EnableEventValidation exception when dynamically adding controls
on client with JavaScript
Quote:
>>Date: Wed, 30 Apr 2008 13:33:53 +0100
>
Quote:
>>
>>Hi
>>
>>I have the following situation in one of my asp.net pages.
>>
>>The user can add multiple table rows to a form by selecting a button.
These
Quote:
>>rows can contain asp.net controls. When this button is selected, the row
is
Quote:
>>added using JavaScript. The script uses cloneNode to clone a hidden
template
Quote:
>>row and all of its children and then adds the new row to the table,
updates
Quote:
>>all of the child control Ids and sets visibility etc.
>>The hidden template row which is cloned to create the new rows is created
in
Quote:
>>server-side code and then hidden on the client using javascript so that
the
Quote:
>>user never realises it is there.
>>
>>This is works correctly if I turn EnableEventValidation off on the page,
but
Quote:
>>with it on I get the exception "Invalid postback or callback argument."
>>
>>I understand why this exception occurs (because I am creating new controls
>>on the client which are posting values back to the server), however is
there
Quote:
>>any way I can stop this exception from happening without turning
>>EnableEventValidation off?
>>
>>I must stress, the controls are being created using JavaScript and so from
>>what I understand I cannot register them for event validation server-side
>>using something like:
>>
>>protected override void Render(System.Web.UI.HtmlTextWriter
>>writer)
>>{
>>base.Render(writer);
>>
>>this.Page.ClientScript.RegisterForEventValidatio n(control.ID);
>>}
>>
>>If there is no other way to stop this exception from happening, what can I
>>do to minimise injection attacks that may occur with
>>EnableEventValidation="false"?
>>
>>Thanks
>>
>>Lewis
>>
>>
>
Steven Cheng [MSFT]
Guest
  
Posts: n/a
#5: Jun 27 '08

re: EnableEventValidation exception when dynamically adding controls on client with JavaScript

Thanks for your reply Lewis,

If you have anything else need help later, welcome to post here also.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
Quote:
>From: "Lewis Holmes" <enate@nospam.nospam>
>References: <CE37922F-B885-42C1-A2E9-FA6637E0A3A4@microsoft.com>
<kAj$ppzqIHA.4284@TK2MSFTNGHUB02.phx.gbl>
Quote:
>In-Reply-To: <kAj$ppzqIHA.4284@TK2MSFTNGHUB02.phx.gbl>
>Subject: Re: EnableEventValidation exception when dynamically adding
controls on client with JavaScript
Quote:
>Date: Thu, 1 May 2008 08:53:28 +0100
Quote:
>
>Hi Steven
>
>Thank you for reply. It is good to get confirmation on this issue.
>
>Kind Regards
>
>Lewis
>
>"Steven Cheng [MSFT]" <stcheng@online.microsoft.comwrote in message
>news:kAj$ppzqIHA.4284@TK2MSFTNGHUB02.phx.gbl...
Quote:
>Hi Lewis,
>>
>As for the exception you mentioned, it does be caused by the Event
>Validation since you have some javascript generated html field which will
>post data to server-side. So far the "EventValidation" can only be
>configured at page level. Though it may involve some risk, but it is
>necessary if we need to include dynamically generated html fields on
page.
Quote:
Quote:
>>
>Sincerely,
>>
>Steven Cheng
>>
>Microsoft MSDN Online Support Lead
>>
>>
>Delighting our customers is our #1 priority. We welcome your comments and
>suggestions about how we can improve the support we provide to you.
Please
Quote:
Quote:
>feel free to let my manager know what you think of the level of service
>provided. You can send feedback directly to my manager at:
>msdnmg@microsoft.com.
>>
>================================================= =
>Get notification to my posts through email? Please refer to
>>
http://msdn.microsoft.com/subscripti...ult.aspx#notif
Quote:
Quote:
>ications.
>================================================= =
>This posting is provided "AS IS" with no warranties, and confers no
>rights.
>>
>--------------------
Quote:
>>>From: "Lewis Holmes" <enate@nospam.nospam>
>>>Subject: EnableEventValidation exception when dynamically adding controls
>on client with JavaScript
Quote:
>>>Date: Wed, 30 Apr 2008 13:33:53 +0100
>>
Quote:
>>>
>>>Hi
>>>
>>>I have the following situation in one of my asp.net pages.
>>>
>>>The user can add multiple table rows to a form by selecting a button.
>These
Quote:
>>>rows can contain asp.net controls. When this button is selected, the row
>is
Quote:
>>>added using JavaScript. The script uses cloneNode to clone a hidden
>template
Quote:
>>>row and all of its children and then adds the new row to the table,
>updates
Quote:
>>>all of the child control Ids and sets visibility etc.
>>>The hidden template row which is cloned to create the new rows is created
>in
Quote:
>>>server-side code and then hidden on the client using javascript so that
>the
Quote:
>>>user never realises it is there.
>>>
>>>This is works correctly if I turn EnableEventValidation off on the page,
>but
Quote:
>>>with it on I get the exception "Invalid postback or callback argument."
>>>
>>>I understand why this exception occurs (because I am creating new
controls
Quote:
Quote:
Quote:
>>>on the client which are posting values back to the server), however is
>there
Quote:
>>>any way I can stop this exception from happening without turning
>>>EnableEventValidation off?
>>>
>>>I must stress, the controls are being created using JavaScript and so
from
Quote:
Quote:
Quote:
>>>what I understand I cannot register them for event validation server-side
>>>using something like:
>>>
>>>protected override void Render(System.Web.UI.HtmlTextWriter
>>>writer)
>>>{
>>>base.Render(writer);
>>>
>>>this.Page.ClientScript.RegisterForEventValidati on(control.ID);
>>>}
>>>
>>>If there is no other way to stop this exception from happening, what can
I
Quote:
Quote:
Quote:
>>>do to minimise injection attacks that may occur with
>>>EnableEventValidation="false"?
>>>
>>>Thanks
>>>
>>>Lewis
>>>
>>>
>>
>
>
Closed Thread

« previous question | next question »

Similar ASP.NET bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,471 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved