I have used ASP.NET MVC and there when I have for example dropdown list - I must check if selected value is correct because user can change value on dropdown list using for example Firebug.
I am new in ASP.NET Web Forms. I have for example:
<asp:DropDownList ID="DropDownList1" runat="server">
<asp:ListItem Value="1">One</asp:ListItem>
<asp:ListItem Value="2">Two</asp:ListItem>
</asp:DropDownList>
<asp:RadioButtonList ID="RadioButtonList1" runat="server">
<asp:ListItem Value="1" Selected="True">One</asp:ListItem>
<asp:ListItem Value="2">Two</asp:ListItem>
</asp:RadioButtonList>
I have changed in Firebug selected value in DropDownList1 on 3 and in RadioButtonList1 on 3 and submit form. Then I have error:
Invalid postback or callback argument. Event validation is enabled using in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for va...
Does it mean that I don't need to validate selected value because user can't change it?
Generally speaking, yes, EnableEventValidation works with that purpose in mind, you can read more here: http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation(v=vs.110).aspx
In particular:
When the EnableEventValidation property is set to true, ASP.NET validates that a control event originated from the user interface that was rendered by that control. A control registers its events during rendering and then validates the events during postback or callback handling. For example, if a list control includes options numbered 1, 2, or 3 when the page is rendered, and if a postback request is received specifying option number 4, ASP.NET raises an exception. All event-driven controls in ASP.NET use this feature by default.
So as a matter of fact you can be safe knowing that people cannot tweak your client HTML with the console and post back malicious data.
This said, you may want to put some guard in the server code just in case for some pages you need to disable event validation (it may happen if you want to submit strings that look like code or if you want to modify elements on the page with jQuery for example).
Related
I am running some scan testing on an asp.net website. The scanner is changing some of the data on the gridview such as follows:
Parameter GridCustom$ctl10$CHK_SelRcd manipulated from: on to: d4R4rs
As you can see a checkbox inside the grid GridCustom called "CHK_SelRcd" was modified and the grid did not detect this. Is there some type of command similar to:
GridCustom.IsValid()
That I can check if the controls have been tampered with (Or have invalid values such as above checkbox)
Thank You
I make a very small example using a DropDownList - and a post back.
<asp:DropDownList runat="server" ID="ddlTest">
<asp:ListItem Value="1" Text="1"></asp:ListItem>
<asp:ListItem Value="2" Text="2"></asp:ListItem>
<asp:ListItem Value="3" Text="3"></asp:ListItem>
</asp:DropDownList>
I change the Value of one using the inspect tools of the browser and here is the message I got.
Invalid postback or callback argument. Event validation is enabled
using in configuration or <%#
Page EnableEventValidation="true" %> in a page. For security
purposes, this feature verifies that arguments to postback or callback
events originate from the server control that originally rendered
them. If the data is valid and expected, use the
ClientScriptManager.RegisterForEventValidation method in order to
register the postback or callback data for validation.
Now there are parameters that even you can change it are not affect the results on code behind
for example
If you change the id, the post back send the name - so no affect there.
If you change the name again the post back is not affected because this is go to a parameter that not exists
If you replace two names each other its again finds it and throw an error.
I have some really weird stuff going on here.
I have the following RadComboBox and button in the master page:
<telerik:RadComboBox ID="rcbPesquisa" runat="server" CausesValidation="false" ShowToggleImage="false" LoadingMessage="Carregando..." HighlightTemplatedItems="true" OnClientKeyPressing="onKeyPressing" EmptyMessage="Buscar" EnableLoadOnDemand="True" EnableVirtualScrolling="true" OnItemsRequested="rcbPesquisa_ItemsRequested" AllowCustomText="True" AutoPostBack="true" OnSelectedIndexChanged="rcbPesquisa_SelectedIndexChanged" Width="350">
<asp:Button runat="server" ID="btnExcluir" Text="Excluir" OnClick="btnExcluir_Click" CausesValidation="true" ValidationGroup="Excluir" CssClass="btn" OnClientClick="return confirm('Deseja realmente excluir o registro?');" />
In the page, I have this validator:
<asp:CustomValidator ID="cuvExclusaoRelacionamento" runat="server" ValidationGroup="Excluir" OnServerValidate="cuvExclusaoRelacionamento_ServerValidate"></asp:CustomValidator>
What happens is: When i click the combobox, and it tries to load it's items, cuvExclusaoRelacionamento validator is called on the server, and of course things go south.
By the way... __EventTarget on cuvExclusaoRelacionamento_ServerValidate is empty
Unfortunately, and without seeing the full code I'm only guessing, I believe there is no way of getting around this due to the following settings:
ValidationGroup="Excluir" The ValidationGroup property assigned to an input control is the Validation Group which should be triggered when the control posts back; The ValidationGroup property of a validator control is the name of the group to which it is assigned; Finally the ValidationGroup property of a submitting control (which could be a button but can also be the input control) is the name of the group of Validators to validate the page against before posting back to the server. I should point out at this timethat it will not post back (server-side event handlers will not be triggered) if the validation fails. Given that the validation group of the control is the same as the validation group of your Custom Validator the validator will be triggered when the control attempts to post back to the server (e.g. when being clicked), if this validation fails it will not post back.
AutoPostBack="true" When you set the control to auto post back it will post back to the server when updated. Given you have an OnClick event I'm guessing you need to perform some server side action when the state of the control is changed.
CausesValidation="true" When set to true all validators assigned to the same "Validation Group" as the submitting control will be triggered when the control attempts to post back to the server. As I've said above, this will prevent post back (meaning the server-side Event Handlers will not be triggered) if the validation fails.
Given the information provided, I'm guessing that the best action you could take is to set CausesValidation="false" for the control. The validation can still be performed so long as you have a submit button (or other control which triggers a post back) elsewhere which is assigned to the "Excluir" Validation Group.
In ASP.net I have a simple textbox and radio button list with yes or no options. On the VB server-side I implement OnClick of the radio button and it does things.
<asp:RadioButtonList ID="rbltest" runat="server" AutoPostBack="true" OnSelectedIndexChange="rbltest_SelectedIndexChanged" <asp:ListItem Text="Yes" Value="0"></asp:ListItem>
<asp:ListItem Selected="True" Text="No" Value="1"></asp:ListItem>
</asp:RadioButtonList>
The only problem is simply that if I click the radio button, then enter data into the TextBox (immediately - in less than 2 seconds), when the radio button returns, it deletes the data. This is annoying. Is there anyway around it?
The only way to fix this is to remove AutoPostBack=true on the RadioButtonList control. The auto-postback option immediately initiates an HTTP post back to the server, so anything typed after then is going to be lost.
Other options:
Implement a client-side onclick handler, and disable the text while the post-back processes (ie, make it clear to the user that they can't type anything, aka the principle of least astonishment).
Implement the change logic completely on the client side using Javascript
Use the ASP.Net AJAX UpdatePanel to do the postback asynchronously (this would not require a full postback to the server, so would allow you to keep typing).
You must delete EnableViewState="false" on your control who lose data, and let default value of ViewState (true) on control.
My asp.net page has multiple text-boxes and DropDownLists that all have required-field validators.
My site also has multiple pages that you can move between with the click of a button. (All pages have all the buttons) When a page loads and decide I want to go to a different page without entering information into the form, I click a button to move to a separate page and the validation pops up and I can't change the page, it stops me every time?
Any ideas on how to stop this?
I know you already found a solution, but I just wanted to throw in another method for people to see.
When using validators it is common practice to use ValidationGroups. When a validator belongs to a ValidationGroup, it is only triggered by another control in the validation group. For example:
<asp:TextBox ID="NameBox" runat="server"/>
<asp:RequiredFieldValidator ID="NameVal" ControlToValidate="NameBox"
ValidationGroup="ValSubmit" runat="server"/>
//...More input fields and validators...
<asp:Button ID="SubmitButton" ValidationGroup="ValSubmit" runat="server"/>
Using this method any validators with the "ValSubmit" ValidationGroup will be triggered only by the SubmitButton and not by other controls. Now you don't have to put CausesValidation="false" on EVERYTHING else that causes a postback.
As everyone else had mentioned, set the CausesValidation property to false.
<asp:Button ID="MyButton" Text="Go Back" CausesValidation="False" />
This is straight from the Microsoft Help Page:
By default, page validation is performed when a Button control is clicked. Page validation determines whether the input controls associated with a validation control on the page all pass the validation rules specified by the validation control.
You can specify or determine whether validation is performed on both the client and the server when a Button control is clicked by using the CausesValidation property. To prevent validation from being performed, set the CausesValidation property to false.
Note:
You should set the CausesValidation property to false when you are using the PostBackUrl property to post back to a different page. You should explicitly check validation when posting back to a different page. For an example, see the Remarks section of the PostBackUrl property.
This property is commonly set to false for a reset or clear button to prevent validation from being performed when the button is clicked.
When the value of the CausesValidation property is set to true, you can also use the ValidationGroup property to specify the name of the validation group for which the Button control causes validation.
set property CausesValidation = "false" to the buttons where you don't want to trigger validation
CausesValidation="false" on the button ;)
<asp:Button CausesValidation="True|False" />
Gets or sets a value indicating whether validation is performed when the Button control is clicked.
read more about Button.CausesValidation Property
I have an ASP.NET form with a few controls and a submit button at the bottom, all inside an update panel:
<asp:UpdatePanel runat="server" ID="upContent">
<ContentTemplate>
<asp:TextBox runat="server" ID="tbxMyTextBox" AutoPostBack="true" />
<asp:Button ID="btnSubmit" runat="server" Text="Submit" OnClientClick="return doStuff()" OnClick="btnSubmit_Click" />
</ContentTemplate>
</asp:UpdatePanel>
If I write something in the TextBox and click 'submit' immediately (without clicking out of the TextBox first), the changes are not recorded (as seen in the server-side event handler). However, if I write something in the TextBox, and then change focus to another control, an AutoPostback happens through the UpdatePanel and then clicking 'submit' does recognize these changes. How can I force this content to update right as I click the submit button, while still running both the clientside and serverside events attached to it? Thanks!
Is is possible that your text-box gets cleared due to some on-submit/on-click event handler? I will suggest you do use some tool such as Fiddler to inspect the POST data in request. Or you can put a break-point at your server side code and inspect the request data. Look for particularly Request.Form[tbxMyTextBox.UniqueID] - i.e. look for presence of value for your text-box's name (name property at client side which corresponds to UniqueID property at server side). If the request contains the value typed in the text-box then something is happening on server side but good news is you can always retrieve the value from Request object. If the value is not present in the Request object then it means that client side code is clearing the value before the submit.
If an onclick method returns false, it cancels the action that the button would normally perform. As your button would normally submit your form, but it appears not to be submitting, your client side javascript code in doStuff is probably returning false.