TomBecker.net

Event Validation Error

So I just spent the last hour or so here trying to figure out the following error:



So if you've seen this error you no doubt have flat spots on your head from banging your head against the cube wall

The popular message out in the vast expanse of the internet is to just set the EnableEventValidation="false" either in the page directive or in the web.config file. Let me first state that, yes that will work. But more importantly let me tell you what a bad idea this is. This nice little feature protects you from you from Cross site scripting (XSS) as well as many other nasty little things/people that are waiting to take down your site. So just get that idea out of your head unless you feel like writing your own validation code to make sure nothing gets in that you don't want to. Go ahead, I'll wait...

Ok, so now that you forgot about the cheap work around. Here are the two main things to look for (from my experience/research) . One, nested form tags. ASP.Net isn't a fan. Remember if you are using master pages, the child page does not need a form tag, that is in the master page. Second, and this is what i finally figured out was my problem. The postback was coming from an imagebutton inside of a gridview control. I was binding the gridview on each postback. So what was happening was, I was losing the select event when I re-bound the grid. So I stuck the function that was binding my grid inside a conditional !Page.IsPostBack.

So before you go and open up your site for some serious vulnerabilities, check to make sure your coding logic is sound and it isn't something small you've over looked.

Labels: .NET

posted by Tom Becker at 2/21/2008