I've used the following in web.config
<pages enableEventValidation="false">
This corrects a problem we've been having with Ajax.
We have a web page that if you browse to directly using a standard HTML hyperlink works fine.
If you browse to the page from another page via link inside a gridview and response.redirecting in the RowCommand event to the page passing an ID in the querystring. The page throws errors from controls inside the panel stating
"Invalid postback or callback argument. Event validation is enabled using in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation. "
I'm happy to leave the page validation as false as it seems to have had no other effect.
Any ideas what's happening?
Read the documentation.
EDIT: For security reasons, it's probably best to leave it set to true wherever you can.
I would therefore recommend that you set it to false only on the individual AJAX pages where it causes problems, while leaving it true in web.config.
From here
Invalid PostBack or CallBack argument error is basically raise because of Event Validation feature. The EventValidation feature is a new feature in ASP.NET 2.0, and provides an additional level of checks to verify that a postback from a control on the client is really from that control and not from someone malicious using something like a cross-site script injection to try and manipulate things. It is part of our overall strategy of increasingly adding security in depth levels to the programming model -- so that developers can be secure by default even if they forget to add security checks of their own.
Now, Invalid PostBack or CallBack argument error may occur when you are firing click event and the object is rebinding or its properties are changed in Page_Load event or someone is trying to hack into your system with cross site scripting. Each time .Net Framework render a page then it associate a unique Guid for all the controls. When binding a gridview or repeater, on each databind framework will associate a new guid for the contorl. So every time when you are firing event make sure Page_Load event does not change the control, because if the control changed the it will have a different Guid which have acutally fired the event for postback. Here are some scenario with this error.
1) Invalid Postback or Callback argument in GridView Problem may be: You are binding data in Page_Load event with either Object Data Source or Manual Binding with function call. This will make your GridView bind data on every event fire of any control. When you are firing any GridView command with OnRowCommand, before RowCommand fire your GridView will rebind and all control within it will be assigned to new id. So RowCommand could not get the item which have fired the event. Solution for Invalid Postback or Callback argument in GridView: You can bind your data within this if condition
if (!IsPostBack)
{
//Your code for Bind data
}
This code will definitely give you solution if this not work then check whether any other control is not giving error.
There is one thing worth adding here: If you want to disable the event validation for a specific control, rather than the entire page, there is a workaround documented here and here (and now referenced in the relevant Connect suggestion):
Simply subclass the relevant WebControl class, and don't set the SupportsEventValidation attribute on the subclass. The subclass will be exempt from event validation.
Related
I have a listbox which is part of a composite control.
I add items by javascript. If I submit without selecting items(click on one or more of them), it works fine, but if I click on one of the items, it causes the following error.
Invalid postback or callback argument. Event validation is enabled using in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
I tried to register some possible values using Page.ClientScript.RegisterForEventValidation and it works fine for that values(in case when I selected one of them). So if I register all possible values, then i won't have problems. But the possible values are about 29000 int values.In my opinion, calling a service to get and register values is not a good solution.
Is there any other approach to solve this?
I have a form where I dynamically populate a DropDownList using Jquery's ajax function to retrieve a list of values from a web service. I originally had a Button control which submitted the form. This caused the "exception:Invalid postback or callback argument. Event validation is enable...." error.
After researching options, such as disabling event validation (bad) and registering for event validation (which would not work in this case) the best option seemed to be to swap the Button control for a LinkButton control. I did this and, sure enough, it works fine now.
My question is...why?
What is different about the LinkButton that means that it does not cause the event validation error and have I, by changing to a LinkButton, introduced a new security risk because event validation isn't happening?
The postback validation error is happening because the data you send back at the postback is no the same than when it was sent by the server.
You should take a look at this blog post by Scott K. Allen. He suggests to add all the possible values for your dropdown in the Render event for your web page.
You could also create your own version of the DropDownList since it won't require event validation as this guy suggests.
My personnal take is that you might have to rethink how you interact with your data. If you need to feed dynamically your DropDownList and you use ASP.NET WebForms then you are required to have a PostBack for that. You could use a UpdatePanel to make it feel "Ajax" if you want.
I've got a .ascx server control in ASP.NET 2.0 that contains several other .ascx server controls. Everything in the top-level one is wrapped in an UpdatePanel. It works great until the second time I do something on the page, and then I get this error in an alert dialog:
Invalid postback or callback argument. Event validation is enabled using in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
This seems like a common error; a Google search turns up several results. They all seem to say that if a postback happens, you have to make sure to call Update on any UpdatePanels that contain controls that were updated. But when I'm debugging this my whole page is contained inside one UpdatePanel (whose UpdateMode is Always), so that doesn't seem right. What's going on?
I recently started using ScriptManager. I have an ASP.NET DropDownList control that I'm populating via JavaScript. However, I'm using Event Validation. So I run into the error below if I don't use the "RegisterForEventValidation" call here for my dropdown. How do I know what value(s) to set in the second argument (where I have "value")? I am populating my dropdown via JavaScript, so I won't know what values are there from my code behind. I'm guessing that Render is called during an AJAX partial rendering postback, correct? Or is it not, so this is called regardless of whether I'm doing a full page postback or not. I guess I'm wanting to hear not only the answer to my question, but if you can share your experiences with me about the error below. I love input, just like Johnny #5.
==================
Code behind:
Protected Overrides Sub Render(ByVal writer As System.Web.UI.HtmlTextWriter)
Page.ClientScript.RegisterForEventValidation(DDLTest.UniqueID, "value")
MyBase.Render(writer)
End Sub
==================
Error:
Server Error in '/' Application.
Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ArgumentException: Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
After extensive research from reading about Script Manager and trial and error, here is what I found.
You can disable event validation, but that is not always the best option because it's good practice to have both JavaScript validation as well as ASP.NET validation. That is the whole purpose of registering these values in your dropdowns. If you have JavaScript that injects options into your select (a select renders from an ASP.NET DropDownList control) you want to prevent script injection whenever possible.
ANSWER TO MY QUESTION: So to do this, we call this RegisterForEventValidation for EVERY possible value that can ever appear in that dropdown for any possible situation in your application. In my case, I had two dropdowns. One dropdown used to cause a postback and re-populated the second dropdown with values based on the first dropdown. However, now I'm using JavaScript to inject the values into the dropdown with jQuery.
Before re-populating the values, I remove all values with jQuery.
jQuery("#<%=DDLTest.ClientID %>").children("option").each(function() {
jQuery(this).remove();
});
When my first dropdown changes, I repopulate the second dropdown with the values relevant for the first dropdown value.
var map = {
"1112": "Hair 5 Drug Panel",
"1121": "Hair 5 Drug Panel and Extended Opiates Limit of Detection Test",
"1120": "Hair 5 Drug Panel Limit of Detection Test"
};
var thisTemp = this; // the reason I do this is because "this" is already being used in the callback.
jQuery.each(map, function(key, val) {
jQuery(thisTemp.Elements.DDLTest).append(jQuery("<option></option>").val(key).text(val));
});
And select the value I need.
jQuery(this.Elements.DDLTest).val(quickDataEntryObject.TestPricingOptionId);
However, before all this JavaScript stuff happens, I am registering the possible values for the dropdown. You MUST do this in the Render event.
Protected Overrides Sub Render(ByVal writer As System.Web.UI.HtmlTextWriter)
Dim testPricingOptionTable As DataTable = ApplicationContext.Database.ExecuteDataSet("procEventValidationRegisteredValues", "test_pricing_options").Tables(0)
For Each testPricingOptionRow As DataRow In testPricingOptionTable.Rows
Page.ClientScript.RegisterForEventValidation(DDLTest.UniqueID, testPricingOptionRow(0).ToString)
Next
MyBase.Render(writer)
End Sub
For event validation to work property, you have to register every possible POST value for the control using RegisterForEventValidation. You can invoke this method multiple times for the same control to register multiple value.
Sometimes, this is not possible - for example, in your case where you are populating drop-down dynamically from java-scripts. Solution(s) would be
Disable event validation for entire page
Use some clever tricks - for example, register some value for event validation that preferably be always present in the drop-down list (e.g. "--Select--"), on submit, put the selected drop-down value into a hidden field and set the drop-down selected value to the value that we used for registration. You may need to add that value to drop-down if not present.
Write your own custom control that does not participate in event validation or does it as per your needs.
I generally go by #1 or #3 based on requirements/budget etc.
Using ASP.NET VB, I have a form with some text boxes and a Gridview. If a user clicks the Edit button on a row in the gridview, and then tries to submit the form with a row still in edit mode on the Gridview, this error is generated -
"Invalid postback or callback argument. Event validation is enabled using in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation. "
Any idea how to prevent this error??
just go to web.config and make it false.
i also face that error and i fixed it by doing this.
check these link as reference
http://www.c-sharpcorner.com/Forums/ShowMessages.aspx?ThreadID=35528
http://channel9.msdn.com/forums/TechOff/155642-Invalid-postback-or-callback-argument-Wants-event-validation-enabled/
check my answer if you get your answer and vote it.thanx