I can't tell if you're taking this particular "rogue hacker" threat very
seriously if you're poking fun at Microsoft for what you perceive as their
very serious take on it.
The problem with ASP.NET event validation is that there are legitmate
reasons for not creating lists of allowed values for particular form fields
on the server-side, and instead dynamically creating these lists on the
client-side via script.
"Peter Bromberg [C# MVP]" <pb*******@yahoo.yabbadabbadoo.comwrote in
message news:D0**********************************@microsof t.com...
The only real consequence of disabling eventvalidation is that you are no
longer protected from rogue hackers who've hijacked your page to attempt
to
post illegal formfield values that you didn't intend to be available on
the
page. That's all that eventvalidation does.
Peter
--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net
"John Grandy" wrote:
>Does anyone have experience with turning off ASP.NET event validation ?
What is the complete set of consequences ?
I'm aware that event validation ensures that parameter values submitted
to
event handlers for read-only ASP.NET web controls ( such as ListBox )
must
match the list of possible values available at the time the control is
rendered on the server; non-matching values will trigger a runtime
exception. Turning off event validation removes this restriction.
What are the other consequences of turning off event validation ?
<pages theme="theme" enableEventValidation="false">