Does anyone have experience with turning off ASP.NET event validation ?
What is the complete set of consequences ?

I'm aware that event validation ensures that parameter values submitted to
event handlers for read-only ASP.NET web controls ( such as ListBox ) must
match the list of possible values available at the time the control is
rendered on the server; non-matching values will trigger a runtime
exception. Turning off event validation removes this restriction.

What are the other consequences of turning off event validation ?

<pages theme="theme" enableEventValidation="false">

The only real consequence of disabling eventvalidation is that you are no
longer protected from rogue hackers who've hijacked your page to attempt to
post illegal formfield values that you didn't intend to be available on the
page. That's all that eventvalidation does.
Peter

--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net




"John Grandy" wrote:

> Does anyone have experience with turning off ASP.NET event validation ?
> What is the complete set of consequences ?
>
> I'm aware that event validation ensures that parameter values submitted to
> event handlers for read-only ASP.NET web controls ( such as ListBox ) must
> match the list of possible values available at the time the control is
> rendered on the server; non-matching values will trigger a runtime
> exception. Turning off event validation removes this restriction.
>
> What are the other consequences of turning off event validation ?
>
> <pages theme="theme" enableEventValidation="false">
>
>
>

I can't tell if you're taking this particular "rogue hacker" threat very
seriously if you're poking fun at Microsoft for what you perceive as their
very serious take on it.

The problem with ASP.NET event validation is that there are legitmate
reasons for not creating lists of allowed values for particular form fields
on the server-side, and instead dynamically creating these lists on the
client-side via script.


"Peter Bromberg [C# MVP]" <(E-Mail Removed)> wrote in
message news05C6134-BF73-4430-8DB7-(E-Mail Removed)...
> The only real consequence of disabling eventvalidation is that you are no
> longer protected from rogue hackers who've hijacked your page to attempt
> to
> post illegal formfield values that you didn't intend to be available on
> the
> page. That's all that eventvalidation does.
> Peter
>
> --
> Site: http://www.eggheadcafe.com
> UnBlog: http://petesbloggerama.blogspot.com
> Short urls & more: http://ittyurl.net
>
>
>
>
> "John Grandy" wrote:
>
>> Does anyone have experience with turning off ASP.NET event validation ?
>> What is the complete set of consequences ?
>>
>> I'm aware that event validation ensures that parameter values submitted
>> to
>> event handlers for read-only ASP.NET web controls ( such as ListBox )
>> must
>> match the list of possible values available at the time the control is
>> rendered on the server; non-matching values will trigger a runtime
>> exception. Turning off event validation removes this restriction.
>>
>> What are the other consequences of turning off event validation ?
>>
>> <pages theme="theme" enableEventValidation="false">
>>
>>
>>

I'm not poking fun at Microsoft at all on this one. Event validation is a
VERY useful feature. However, as you have noted, it can and does interfere
with legitimate dynamically created element (such as ListItems in a
dropdownlist, for example). However, there are ways to do this and still keep
event validation turned on. Do more research, you'll find some excellent
blog posts on this very subject.
Peter

--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net




"John Grandy" wrote:

> I can't tell if you're taking this particular "rogue hacker" threat very
> seriously if you're poking fun at Microsoft for what you perceive as their
> very serious take on it.
>
> The problem with ASP.NET event validation is that there are legitmate
> reasons for not creating lists of allowed values for particular form fields
> on the server-side, and instead dynamically creating these lists on the
> client-side via script.
>
>
> "Peter Bromberg [C# MVP]" <(E-Mail Removed)> wrote in
> message news05C6134-BF73-4430-8DB7-(E-Mail Removed)...
> > The only real consequence of disabling eventvalidation is that you are no
> > longer protected from rogue hackers who've hijacked your page to attempt
> > to
> > post illegal formfield values that you didn't intend to be available on
> > the
> > page. That's all that eventvalidation does.
> > Peter
> >
> > --
> > Site: http://www.eggheadcafe.com
> > UnBlog: http://petesbloggerama.blogspot.com
> > Short urls & more: http://ittyurl.net
> >
> >
> >
> >
> > "John Grandy" wrote:
> >
> >> Does anyone have experience with turning off ASP.NET event validation ?
> >> What is the complete set of consequences ?
> >>
> >> I'm aware that event validation ensures that parameter values submitted
> >> to
> >> event handlers for read-only ASP.NET web controls ( such as ListBox )
> >> must
> >> match the list of possible values available at the time the control is
> >> rendered on the server; non-matching values will trigger a runtime
> >> exception. Turning off event validation removes this restriction.
> >>
> >> What are the other consequences of turning off event validation ?
> >>
> >> <pages theme="theme" enableEventValidation="false">
> >>
> >>
> >>
>
>
>