"Varangian" <ofm***@gmail.com> wrote in message
news:1152094261.216293.229780@p79g2000cwp.googlegroups.com...
> Hi all,
>
> I have a question, what does the function
> ClientScriptManager.RegisterForEventValidation really does? Does it
> means securing your client side code? more security?
>
> The question is how to implement this function, a step by step example
> would be appreciated much
>
> I don't want to disable the EnableEventValidation property at Page
> level, security is an issue
>
> Thanks!
>

> Hi,
>
> basically it is to tell which client-side event arguments your control is
> expecting and which should be allowed. E.g it is basically validating if
> event is valid. From docs:
>
> "
> Balance the security benefit of event validation with its performance cost
> Controls that derive from the System.Web.UI.WebControls and
> System.Web.UI.HtmlControls classes can validate that an event originated
> from the user interface that was rendered by the control. This helps prevent
> the control from responding to spoofed event notification. For example, the
> DetailsView control can prevent processing of a Delete call (which is not
> inherently supported in the control) and being manipulated into deleting
> data. This validation has some performance cost. You can control this
> behavior using the EnableEventValidation configuration element and the
> RegisterForEventValidation method. The cost of validation depends on the
> number of controls on the page, and is in the range of a few percent.
>
>       Security Note
>       It is strongly recommended that you do not disable event validation.
> Before disabling event validation, you should be sure that no postback could
> be constructed that would have an unintended effect on your application.
>
>
>
>
> "
>
> And here is one sample:
> http://msdn2.microsoft.com/en-us/library/ms223395.aspx
>
>
> --
> Teemu Keiski
> ASP.NET MVP, AspInsider
> Finland, EU
> http://blogs.aspadvice.com/joteke
>
> "Varangian" <ofm***@gmail.com> wrote in message
> news:1152094261.216293.229780@p79g2000cwp.googlegroups.com...
> > Hi all,
> >
> > I have a question, what does the function
> > ClientScriptManager.RegisterForEventValidation really does? Does it
> > means securing your client side code? more security?
> >
> > The question is how to implement this function, a step by step example
> > would be appreciated much
> >
> > I don't want to disable the EnableEventValidation property at Page
> > level, security is an issue
> >
> > Thanks!
> >
>
>
> begin 666 security.gif
> M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
> M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
> MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
> M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
> #```[
> `
> end

"Varangian" <ofm***@gmail.com> wrote in message
news:1152114232.888789.90860@j8g2000cwa.googlegroups.com...
> Thank you very much for you reply
>
> is it the only function needed to secure page spoofing ? no other
> functions needed?
>
> however about that example.. how to use it when you have rendering
> controls dynamically.. for example in the same page I may have
> different controls
>
> Teemu Keiski wrote:
>> Hi,
>>
>> basically it is to tell which client-side event arguments your control is
>> expecting and which should be allowed. E.g it is basically validating if
>> event is valid. From docs:
>>
>> "
>> Balance the security benefit of event validation with its performance
>> cost
>> Controls that derive from the System.Web.UI.WebControls and
>> System.Web.UI.HtmlControls classes can validate that an event originated
>> from the user interface that was rendered by the control. This helps
>> prevent
>> the control from responding to spoofed event notification. For example,
>> the
>> DetailsView control can prevent processing of a Delete call (which is not
>> inherently supported in the control) and being manipulated into deleting
>> data. This validation has some performance cost. You can control this
>> behavior using the EnableEventValidation configuration element and the
>> RegisterForEventValidation method. The cost of validation depends on the
>> number of controls on the page, and is in the range of a few percent.
>>
>>       Security Note
>>       It is strongly recommended that you do not disable event
>> validation.
>> Before disabling event validation, you should be sure that no postback
>> could
>> be constructed that would have an unintended effect on your application.
>>
>>
>>
>>
>> "
>>
>> And here is one sample:
>> http://msdn2.microsoft.com/en-us/library/ms223395.aspx
>>
>>
>> --
>> Teemu Keiski
>> ASP.NET MVP, AspInsider
>> Finland, EU
>> http://blogs.aspadvice.com/joteke
>>
>> "Varangian" <ofm***@gmail.com> wrote in message
>> news:1152094261.216293.229780@p79g2000cwp.googlegroups.com...
>> > Hi all,
>> >
>> > I have a question, what does the function
>> > ClientScriptManager.RegisterForEventValidation really does? Does it
>> > means securing your client side code? more security?
>> >
>> > The question is how to implement this function, a step by step example
>> > would be appreciated much
>> >
>> > I don't want to disable the EnableEventValidation property at Page
>> > level, security is an issue
>> >
>> > Thanks!
>> >
>>
>>
>> begin 666 security.gif
>> M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
>> M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
>> MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
>> M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
>> #```[
>> `
>> end
>

> Usually it is implemented in the control itself, as part of controls own
> rendering process, as control knows what event arguments it expects. Doing
> on the page is pretty much when control's implementation is missing
> something.
>
> --
> Teemu Keiski
> ASP.NET MVP, AspInsider
> Finland, EU
> http://blogs.aspadvice.com/joteke
>
> "Varangian" <ofm***@gmail.com> wrote in message
> news:1152114232.888789.90860@j8g2000cwa.googlegroups.com...
> > Thank you very much for you reply
> >
> > is it the only function needed to secure page spoofing ? no other
> > functions needed?
> >
> > however about that example.. how to use it when you have rendering
> > controls dynamically.. for example in the same page I may have
> > different controls
> >
> > Teemu Keiski wrote:
> >> Hi,
> >>
> >> basically it is to tell which client-side event arguments your control is
> >> expecting and which should be allowed. E.g it is basically validating if
> >> event is valid. From docs:
> >>
> >> "
> >> Balance the security benefit of event validation with its performance
> >> cost
> >> Controls that derive from the System.Web.UI.WebControls and
> >> System.Web.UI.HtmlControls classes can validate that an event originated
> >> from the user interface that was rendered by the control. This helps
> >> prevent
> >> the control from responding to spoofed event notification. For example,
> >> the
> >> DetailsView control can prevent processing of a Delete call (which is not
> >> inherently supported in the control) and being manipulated into deleting
> >> data. This validation has some performance cost. You can control this
> >> behavior using the EnableEventValidation configuration element and the
> >> RegisterForEventValidation method. The cost of validation depends on the
> >> number of controls on the page, and is in the range of a few percent.
> >>
> >>       Security Note
> >>       It is strongly recommended that you do not disable event
> >> validation.
> >> Before disabling event validation, you should be sure that no postback
> >> could
> >> be constructed that would have an unintended effect on your application.
> >>
> >>
> >>
> >>
> >> "
> >>
> >> And here is one sample:
> >> http://msdn2.microsoft.com/en-us/library/ms223395.aspx
> >>
> >>
> >> --
> >> Teemu Keiski
> >> ASP.NET MVP, AspInsider
> >> Finland, EU
> >> http://blogs.aspadvice.com/joteke
> >>
> >> "Varangian" <ofm***@gmail.com> wrote in message
> >> news:1152094261.216293.229780@p79g2000cwp.googlegroups.com...
> >> > Hi all,
> >> >
> >> > I have a question, what does the function
> >> > ClientScriptManager.RegisterForEventValidation really does? Does it
> >> > means securing your client side code? more security?
> >> >
> >> > The question is how to implement this function, a step by step example
> >> > would be appreciated much
> >> >
> >> > I don't want to disable the EnableEventValidation property at Page
> >> > level, security is an issue
> >> >
> >> > Thanks!
> >> >
> >>
> >>
> >> begin 666 security.gif
> >> M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
> >> M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
> >> MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
> >> M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
> >> #```[
> >> `
> >> end
> >

> what do you mean exactly?
>
> how to implement it for a page with multiple controls and multiple
> arguments?
>
>
> Teemu Keiski wrote:
> > Usually it is implemented in the control itself, as part of controls own
> > rendering process, as control knows what event arguments it expects. Doing
> > on the page is pretty much when control's implementation is missing
> > something.
> >
> > --
> > Teemu Keiski
> > ASP.NET MVP, AspInsider
> > Finland, EU
> > http://blogs.aspadvice.com/joteke
> >
> > "Varangian" <ofm***@gmail.com> wrote in message
> > news:1152114232.888789.90860@j8g2000cwa.googlegroups.com...
> > > Thank you very much for you reply
> > >
> > > is it the only function needed to secure page spoofing ? no other
> > > functions needed?
> > >
> > > however about that example.. how to use it when you have rendering
> > > controls dynamically.. for example in the same page I may have
> > > different controls
> > >
> > > Teemu Keiski wrote:
> > >> Hi,
> > >>
> > >> basically it is to tell which client-side event arguments your control is
> > >> expecting and which should be allowed. E.g it is basically validating if
> > >> event is valid. From docs:
> > >>
> > >> "
> > >> Balance the security benefit of event validation with its performance
> > >> cost
> > >> Controls that derive from the System.Web.UI.WebControls and
> > >> System.Web.UI.HtmlControls classes can validate that an event originated
> > >> from the user interface that was rendered by the control. This helps
> > >> prevent
> > >> the control from responding to spoofed event notification. For example,
> > >> the
> > >> DetailsView control can prevent processing of a Delete call (which is not
> > >> inherently supported in the control) and being manipulated into deleting
> > >> data. This validation has some performance cost. You can control this
> > >> behavior using the EnableEventValidation configuration element and the
> > >> RegisterForEventValidation method. The cost of validation depends on the
> > >> number of controls on the page, and is in the range of a few percent.
> > >>
> > >>       Security Note
> > >>       It is strongly recommended that you do not disable event
> > >> validation.
> > >> Before disabling event validation, you should be sure that no postback
> > >> could
> > >> be constructed that would have an unintended effect on your application.
> > >>
> > >>
> > >>
> > >>
> > >> "
> > >>
> > >> And here is one sample:
> > >> http://msdn2.microsoft.com/en-us/library/ms223395.aspx
> > >>
> > >>
> > >> --
> > >> Teemu Keiski
> > >> ASP.NET MVP, AspInsider
> > >> Finland, EU
> > >> http://blogs.aspadvice.com/joteke
> > >>
> > >> "Varangian" <ofm***@gmail.com> wrote in message
> > >> news:1152094261.216293.229780@p79g2000cwp.googlegroups.com...
> > >> > Hi all,
> > >> >
> > >> > I have a question, what does the function
> > >> > ClientScriptManager.RegisterForEventValidation really does? Does it
> > >> > means securing your client side code? more security?
> > >> >
> > >> > The question is how to implement this function, a step by step example
> > >> > would be appreciated much
> > >> >
> > >> > I don't want to disable the EnableEventValidation property at Page
> > >> > level, security is an issue
> > >> >
> > >> > Thanks!
> > >> >
> > >>
> > >>
> > >> begin 666 security.gif
> > >> M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
> > >> M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
> > >> MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
> > >> M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
> > >> #```[
> > >> `
> > >> end
> > >

> Event validation ties in with the ASPNET postback model where an event
> "target" (a control client ID) and event "argument" (a value) are
> returned through the postback call.  Event validation lets you specify
> valid event arguments.  Event validation does not prevent strange
> values from being entered in other controls on the form besides the
> target control.  So event validation will not, for instance, screen the
> contents of all the text fields on a form.  If you were concerned about
> SQL injection, for instance, you would still want to use parameters in
> your queries rather than concatenating field values directly into query
> strings.
>
> Varangian wrote:
> > what do you mean exactly?
> >
> > how to implement it for a page with multiple controls and multiple
> > arguments?
> >
> >
> > Teemu Keiski wrote:
> > > Usually it is implemented in the control itself, as part of controls own
> > > rendering process, as control knows what event arguments it expects. Doing
> > > on the page is pretty much when control's implementation is missing
> > > something.
> > >
> > > --
> > > Teemu Keiski
> > > ASP.NET MVP, AspInsider
> > > Finland, EU
> > > http://blogs.aspadvice.com/joteke
> > >
> > > "Varangian" <ofm***@gmail.com> wrote in message
> > > news:1152114232.888789.90860@j8g2000cwa.googlegroups.com...
> > > > Thank you very much for you reply
> > > >
> > > > is it the only function needed to secure page spoofing ? no other
> > > > functions needed?
> > > >
> > > > however about that example.. how to use it when you have rendering
> > > > controls dynamically.. for example in the same page I may have
> > > > different controls
> > > >
> > > > Teemu Keiski wrote:
> > > >> Hi,
> > > >>
> > > >> basically it is to tell which client-side event arguments your control is
> > > >> expecting and which should be allowed. E.g it is basically validating if
> > > >> event is valid. From docs:
> > > >>
> > > >> "
> > > >> Balance the security benefit of event validation with its performance
> > > >> cost
> > > >> Controls that derive from the System.Web.UI.WebControls and
> > > >> System.Web.UI.HtmlControls classes can validate that an event originated
> > > >> from the user interface that was rendered by the control. This helps
> > > >> prevent
> > > >> the control from responding to spoofed event notification. For example,
> > > >> the
> > > >> DetailsView control can prevent processing of a Delete call (which is not
> > > >> inherently supported in the control) and being manipulated into deleting
> > > >> data. This validation has some performance cost. You can control this
> > > >> behavior using the EnableEventValidation configuration element and the
> > > >> RegisterForEventValidation method. The cost of validation depends on the
> > > >> number of controls on the page, and is in the range of a few percent.
> > > >>
> > > >>       Security Note
> > > >>       It is strongly recommended that you do not disable event
> > > >> validation.
> > > >> Before disabling event validation, you should be sure that no postback
> > > >> could
> > > >> be constructed that would have an unintended effect on your application.
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> "
> > > >>
> > > >> And here is one sample:
> > > >> http://msdn2.microsoft.com/en-us/library/ms223395.aspx
> > > >>
> > > >>
> > > >> --
> > > >> Teemu Keiski
> > > >> ASP.NET MVP, AspInsider
> > > >> Finland, EU
> > > >> http://blogs.aspadvice.com/joteke
> > > >>
> > > >> "Varangian" <ofm***@gmail.com> wrote in message
> > > >> news:1152094261.216293.229780@p79g2000cwp.googlegroups.com...
> > > >> > Hi all,
> > > >> >
> > > >> > I have a question, what does the function
> > > >> > ClientScriptManager.RegisterForEventValidation really does? Does it
> > > >> > means securing your client side code? more security?
> > > >> >
> > > >> > The question is how to implement this function, a step by step example
> > > >> > would be appreciated much
> > > >> >
> > > >> > I don't want to disable the EnableEventValidation property at Page
> > > >> > level, security is an issue
> > > >> >
> > > >> > Thanks!
> > > >> >
> > > >>
> > > >>
> > > >> begin 666 security.gif
> > > >> M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
> > > >> M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
> > > >> MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
> > > >> M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
> > > >> #```[
> > > >> `
> > > >> end
> > > >

> Basically what I have is dropdownlists being filled with details upon
> clicking of an ImageButton. These ImageButtons are being rendered
> dynamically on Page_Load not at Design mode while the Dropdownlists are
> being created at Design mode. I also have a textbox accepting input
> from the user. All these are made with Callbacks events
>
> Then I have a Button that I want it to do a normal PostBack, however
> when I click this non-callback Button an error pops regarding
> EventValidation has to be set to false or something like that. Now I
> don't want to remove it, since security is an Issue and I don't want to
> risk my page being spoofed since I have a big chunk of Javascript.
> RegisterForEventValidation seems to be the solution but I don't how to
> use it exactly.
>
> I followed the microsoft example, it works, but when it comes to
> controls at Run-time I don't know how to do it!
> Please any help would be appreciated most!
> Thank you!
>
> Russell wrote:
> > Event validation ties in with the ASPNET postback model where an event
> > "target" (a control client ID) and event "argument" (a value) are
> > returned through the postback call.  Event validation lets you specify
> > valid event arguments.  Event validation does not prevent strange
> > values from being entered in other controls on the form besides the
> > target control.  So event validation will not, for instance, screen the
> > contents of all the text fields on a form.  If you were concerned about
> > SQL injection, for instance, you would still want to use parameters in
> > your queries rather than concatenating field values directly into query
> > strings.
> >
> > Varangian wrote:
> > > what do you mean exactly?
> > >
> > > how to implement it for a page with multiple controls and multiple
> > > arguments?
> > >
> > >
> > > Teemu Keiski wrote:
> > > > Usually it is implemented in the control itself, as part of controls own
> > > > rendering process, as control knows what event arguments it expects. Doing
> > > > on the page is pretty much when control's implementation is missing
> > > > something.
> > > >
> > > > --
> > > > Teemu Keiski
> > > > ASP.NET MVP, AspInsider
> > > > Finland, EU
> > > > http://blogs.aspadvice.com/joteke
> > > >
> > > > "Varangian" <ofm***@gmail.com> wrote in message
> > > > news:1152114232.888789.90860@j8g2000cwa.googlegroups.com...
> > > > > Thank you very much for you reply
> > > > >
> > > > > is it the only function needed to secure page spoofing ? no other
> > > > > functions needed?
> > > > >
> > > > > however about that example.. how to use it when you have rendering
> > > > > controls dynamically.. for example in the same page I may have
> > > > > different controls
> > > > >
> > > > > Teemu Keiski wrote:
> > > > >> Hi,
> > > > >>
> > > > >> basically it is to tell which client-side event arguments your control is
> > > > >> expecting and which should be allowed. E.g it is basically validating if
> > > > >> event is valid. From docs:
> > > > >>
> > > > >> "
> > > > >> Balance the security benefit of event validation with its performance
> > > > >> cost
> > > > >> Controls that derive from the System.Web.UI.WebControls and
> > > > >> System.Web.UI.HtmlControls classes can validate that an event originated
> > > > >> from the user interface that was rendered by the control. This helps
> > > > >> prevent
> > > > >> the control from responding to spoofed event notification. For example,
> > > > >> the
> > > > >> DetailsView control can prevent processing of a Delete call (which is not
> > > > >> inherently supported in the control) and being manipulated into deleting
> > > > >> data. This validation has some performance cost. You can control this
> > > > >> behavior using the EnableEventValidation configuration element and the
> > > > >> RegisterForEventValidation method. The cost of validation depends on the
> > > > >> number of controls on the page, and is in the range of a few percent.
> > > > >>
> > > > >>       Security Note
> > > > >>       It is strongly recommended that you do not disable event
> > > > >> validation.
> > > > >> Before disabling event validation, you should be sure that no postback
> > > > >> could
> > > > >> be constructed that would have an unintended effect on your application.
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >> "
> > > > >>
> > > > >> And here is one sample:
> > > > >> http://msdn2.microsoft.com/en-us/library/ms223395.aspx
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Teemu Keiski
> > > > >> ASP.NET MVP, AspInsider
> > > > >> Finland, EU
> > > > >> http://blogs.aspadvice.com/joteke
> > > > >>
> > > > >> "Varangian" <ofm***@gmail.com> wrote in message
> > > > >> news:1152094261.216293.229780@p79g2000cwp.googlegroups.com...
> > > > >> > Hi all,
> > > > >> >
> > > > >> > I have a question, what does the function
> > > > >> > ClientScriptManager.RegisterForEventValidation really does? Does it
> > > > >> > means securing your client side code? more security?
> > > > >> >
> > > > >> > The question is how to implement this function, a step by step example
> > > > >> > would be appreciated much
> > > > >> >
> > > > >> > I don't want to disable the EnableEventValidation property at Page
> > > > >> > level, security is an issue
> > > > >> >
> > > > >> > Thanks!
> > > > >> >
> > > > >>
> > > > >>
> > > > >> begin 666 security.gif
> > > > >> M1TE&.#EA!P`*`,0?`(2$A'MM4F-C8_>^2O?'4N>N.?_#0MZV6M75U81U6C\_
> > > > >> M/X&!@6-9*>>V2MZZ<YR*<WME0G!P<-:J2JV22H1M4I2"4G-A0M'1T8QY8Z66
> > > > >> MA*V66O_38__GI69F9O_______R'Y! $``!\`+ `````'``H```4TX'<M781\
> > > > >> M'W!Y5X<*7JQ\CF9K5:5Q/(_MF^ &D^%L& <"I;B9; :0HD'2*%@R#TR"$K"$
> > > > >> #```[
> > > > >> `
> > > > >> end
> > > > >