What is the use of ClientScript.RegisterForEventValidation() method in ClientScriptManager class? How can we prevent the disabling event validation in ASP.Net ?
Sometimes, we may get the following error when we post an asp.net form after doing some javascript manipulation on the DOM like inserting, deleting some elements or properties.
Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
This method is introduced in ASP.Net 2.0 for security purposes. Using this method will prevent the need for disabling a security check called event validation.
What's New in ASP.Net 2.0?
ASP.Net 2.0 performs a new validation on every postback called EventValidation. For event validation check, ASP.Net records the values and controls at before every render. During a postback, the data and control that is generating the event or postback will be again checked for the presence against the list recorded in the last render. For example, if a dropdown with values 1, 2, 3 is rendered to the client, for the next postback event if someone tries to add a fourth option say "4" in the client (using JavaScript) and post it to the server the validation fails and the runtime will throw an exception. ASP.Net will predict it as an attack by default since the content are different and will throw an exception.
There are 3 overloads,
RegisterForEventValidation Overloads
ClientScriptManager.RegisterForEventValidation (String uniqueid, String value)
ClientScriptManager.RegisterForEventValidation (String uniqueid)
ClientScriptManager.RegisterForEventValidation (PostBackOptions options)
uniqueid
The uniqueid of the server control that is generating a server side event or postback.
Usage
Sometimes, we need to populate some of the server control like dropdown, ListBox from client side JavaScript. For example, consider a dropdown named ddlLanguages contain some 3 list items which are populated from javascript like,
Add new Options to DropDownList
var oOption = document.createElement("OPTION");
document.all("ddlLanguages").options.add(oOption);
oOption.innerText = "English";
oOption = document.createElement("OPTION");
document.all("ddlLanguages").options.add(oOption);
oOption.innerText = "Tamil";
oOption = document.createElement("OPTION");
document.all("ddlLanguages").options.add(oOption);
oOption.innerText = "Hindi";
After this if we try to post this form to the server through a button click, ASP.Net will throw the below error,
Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
Clearly the above message gives a resolution to prevent it i.e. by,
<pages enableEventValidation="false"/> in Web.Config or,
<%@ Page EnableEventValidation="false" %> in a page attribute
By doing this, we are giving a way to hacker to intrude by disabling the event validation. This can be prevented by use of RegisterForEventValidation methods of ClientScriptManager class in ASP.Net 2.0. We need to register the server control ID with the all the possible values that can be posted by JavaScript by that control in Render Event of the page. So to prevent the exception in our example,
EventValidation Error Resolution
protected override void Render(System.Web.UI.HtmlTextWriter writer)
{
ClientScript.RegisterForEventValidation("ddlLanguages ", "English");
ClientScript.RegisterForEventValidation("ddlLanguages ", "Tamil");
ClientScript.RegisterForEventValidation("ddlLanguages ", "Hindi");
base.Render(writer);
}
The 2nd overload can be used to register a server control that is causing the postback event is safe while the 3rd overload deals with the PostBackOptions which specifies how a server control can generate a javascript to do a postback. Refer the msdn link to know more.
|