By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,313 Members | 1,240 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,313 IT Pros & Developers. It's quick & easy.

EnableEventValidation exception when dynamically adding controls on client with JavaScript

P: n/a
Hi

I have the following situation in one of my asp.net pages.

The user can add multiple table rows to a form by selecting a button. These
rows can contain asp.net controls. When this button is selected, the row is
added using JavaScript. The script uses cloneNode to clone a hidden template
row and all of its children and then adds the new row to the table, updates
all of the child control Ids and sets visibility etc.
The hidden template row which is cloned to create the new rows is created in
server-side code and then hidden on the client using javascript so that the
user never realises it is there.

This is works correctly if I turn EnableEventValidation off on the page, but
with it on I get the exception "Invalid postback or callback argument."

I understand why this exception occurs (because I am creating new controls
on the client which are posting values back to the server), however is there
any way I can stop this exception from happening without turning
EnableEventValidation off?

I must stress, the controls are being created using JavaScript and so from
what I understand I cannot register them for event validation server-side
using something like:

protected override void Render(System.Web.UI.HtmlTextWriter
writer)
{
base.Render(writer);

this.Page.ClientScript.RegisterForEventValidation( control.ID);
}

If there is no other way to stop this exception from happening, what can I
do to minimise injection attacks that may occur with
EnableEventValidation="false"?

Thanks

Lewis

Jun 27 '08 #1
Share this Question
Share on Google+
4 Replies


P: n/a
event validation is to prevent hacking. it checks that postbacks are not done
by invisible controls or non-existent controls, for lists, the value is in
the list, etc.

you turn off event validation at the page level , then call
RegisterForEventValidation for all controls on the page, to have their events
and postback values validated.
-- bruce (sqlwork.com)
"Lewis Holmes" wrote:
Hi

I have the following situation in one of my asp.net pages.

The user can add multiple table rows to a form by selecting a button. These
rows can contain asp.net controls. When this button is selected, the row is
added using JavaScript. The script uses cloneNode to clone a hidden template
row and all of its children and then adds the new row to the table, updates
all of the child control Ids and sets visibility etc.
The hidden template row which is cloned to create the new rows is created in
server-side code and then hidden on the client using javascript so that the
user never realises it is there.

This is works correctly if I turn EnableEventValidation off on the page, but
with it on I get the exception "Invalid postback or callback argument."

I understand why this exception occurs (because I am creating new controls
on the client which are posting values back to the server), however is there
any way I can stop this exception from happening without turning
EnableEventValidation off?

I must stress, the controls are being created using JavaScript and so from
what I understand I cannot register them for event validation server-side
using something like:

protected override void Render(System.Web.UI.HtmlTextWriter
writer)
{
base.Render(writer);

this.Page.ClientScript.RegisterForEventValidation( control.ID);
}

If there is no other way to stop this exception from happening, what can I
do to minimise injection attacks that may occur with
EnableEventValidation="false"?

Thanks

Lewis

Jun 27 '08 #2

P: n/a
Hi Lewis,

As for the exception you mentioned, it does be caused by the Event
Validation since you have some javascript generated html field which will
post data to server-side. So far the "EventValidation" can only be
configured at page level. Though it may involve some risk, but it is
necessary if we need to include dynamically generated html fields on page.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Lewis Holmes" <en***@nospam.nospam>
Subject: EnableEventValidation exception when dynamically adding controls
on client with JavaScript
>Date: Wed, 30 Apr 2008 13:33:53 +0100
>
Hi

I have the following situation in one of my asp.net pages.

The user can add multiple table rows to a form by selecting a button.
These
>rows can contain asp.net controls. When this button is selected, the row
is
>added using JavaScript. The script uses cloneNode to clone a hidden
template
>row and all of its children and then adds the new row to the table,
updates
>all of the child control Ids and sets visibility etc.
The hidden template row which is cloned to create the new rows is created
in
>server-side code and then hidden on the client using javascript so that
the
>user never realises it is there.

This is works correctly if I turn EnableEventValidation off on the page,
but
>with it on I get the exception "Invalid postback or callback argument."

I understand why this exception occurs (because I am creating new controls
on the client which are posting values back to the server), however is
there
>any way I can stop this exception from happening without turning
EnableEventValidation off?

I must stress, the controls are being created using JavaScript and so from
what I understand I cannot register them for event validation server-side
using something like:

protected override void Render(System.Web.UI.HtmlTextWriter
writer)
{
base.Render(writer);

this.Page.ClientScript.RegisterForEventValidation (control.ID);
}

If there is no other way to stop this exception from happening, what can I
do to minimise injection attacks that may occur with
EnableEventValidation="false"?

Thanks

Lewis

Jun 27 '08 #3

P: n/a
Hi Steven

Thank you for reply. It is good to get confirmation on this issue.

Kind Regards

Lewis

"Steven Cheng [MSFT]" <st*****@online.microsoft.comwrote in message
news:kA**************@TK2MSFTNGHUB02.phx.gbl...
Hi Lewis,

As for the exception you mentioned, it does be caused by the Event
Validation since you have some javascript generated html field which will
post data to server-side. So far the "EventValidation" can only be
configured at page level. Though it may involve some risk, but it is
necessary if we need to include dynamically generated html fields on page.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
>>From: "Lewis Holmes" <en***@nospam.nospam>
Subject: EnableEventValidation exception when dynamically adding controls
on client with JavaScript
>>Date: Wed, 30 Apr 2008 13:33:53 +0100
>>
Hi

I have the following situation in one of my asp.net pages.

The user can add multiple table rows to a form by selecting a button.
These
>>rows can contain asp.net controls. When this button is selected, the row
is
>>added using JavaScript. The script uses cloneNode to clone a hidden
template
>>row and all of its children and then adds the new row to the table,
updates
>>all of the child control Ids and sets visibility etc.
The hidden template row which is cloned to create the new rows is created
in
>>server-side code and then hidden on the client using javascript so that
the
>>user never realises it is there.

This is works correctly if I turn EnableEventValidation off on the page,
but
>>with it on I get the exception "Invalid postback or callback argument."

I understand why this exception occurs (because I am creating new controls
on the client which are posting values back to the server), however is
there
>>any way I can stop this exception from happening without turning
EnableEventValidation off?

I must stress, the controls are being created using JavaScript and so from
what I understand I cannot register them for event validation server-side
using something like:

protected override void Render(System.Web.UI.HtmlTextWriter
writer)
{
base.Render(writer);

this.Page.ClientScript.RegisterForEventValidatio n(control.ID);
}

If there is no other way to stop this exception from happening, what can I
do to minimise injection attacks that may occur with
EnableEventValidation="false"?

Thanks

Lewis

Jun 27 '08 #4

P: n/a
Thanks for your reply Lewis,

If you have anything else need help later, welcome to post here also.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Lewis Holmes" <en***@nospam.nospam>
References: <CE**********************************@microsoft.co m>
<kA**************@TK2MSFTNGHUB02.phx.gbl>
>In-Reply-To: <kA**************@TK2MSFTNGHUB02.phx.gbl>
Subject: Re: EnableEventValidation exception when dynamically adding
controls on client with JavaScript
>Date: Thu, 1 May 2008 08:53:28 +0100
>
Hi Steven

Thank you for reply. It is good to get confirmation on this issue.

Kind Regards

Lewis

"Steven Cheng [MSFT]" <st*****@online.microsoft.comwrote in message
news:kA**************@TK2MSFTNGHUB02.phx.gbl...
>Hi Lewis,

As for the exception you mentioned, it does be caused by the Event
Validation since you have some javascript generated html field which will
post data to server-side. So far the "EventValidation" can only be
configured at page level. Though it may involve some risk, but it is
necessary if we need to include dynamically generated html fields on
page.
>>
Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you.
Please
>feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

================================================= =
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
>ications.
================================================= =
This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
>>>From: "Lewis Holmes" <en***@nospam.nospam>
Subject: EnableEventValidation exception when dynamically adding controls
on client with JavaScript
>>>Date: Wed, 30 Apr 2008 13:33:53 +0100
>>>
Hi

I have the following situation in one of my asp.net pages.

The user can add multiple table rows to a form by selecting a button.
These
>>>rows can contain asp.net controls. When this button is selected, the row
is
>>>added using JavaScript. The script uses cloneNode to clone a hidden
template
>>>row and all of its children and then adds the new row to the table,
updates
>>>all of the child control Ids and sets visibility etc.
The hidden template row which is cloned to create the new rows is created
in
>>>server-side code and then hidden on the client using javascript so that
the
>>>user never realises it is there.

This is works correctly if I turn EnableEventValidation off on the page,
but
>>>with it on I get the exception "Invalid postback or callback argument."

I understand why this exception occurs (because I am creating new
controls
>>>on the client which are posting values back to the server), however is
there
>>>any way I can stop this exception from happening without turning
EnableEventValidation off?

I must stress, the controls are being created using JavaScript and so
from
>>>what I understand I cannot register them for event validation server-side
using something like:

protected override void Render(System.Web.UI.HtmlTextWriter
writer)
{
base.Render(writer);

this.Page.ClientScript.RegisterForEventValidati on(control.ID);
}

If there is no other way to stop this exception from happening, what can
I
>>>do to minimise injection attacks that may occur with
EnableEventValidation="false"?

Thanks

Lewis


Jun 27 '08 #5

This discussion thread is closed

Replies have been disabled for this discussion.