usage of validate request and enable event validation in page tag of aspx [duplicate]_问答_开发者

usage of validate request and enable event validation in page tag of aspx [duplicate]

开发者 https://www.devze.com 2023-04-09 06:56 出处：网络

This question already has answers here: Closed 1开发者_JAVA技巧1 years ago. Possible Duplicate: enableEventValidation and validateRequest difference

相关专题：asp.net

This question already has answers here: Closed 1开发者_JAVA技巧1 years ago.

Possible Duplicate:
enableEventValidation and validateRequest difference

can someone explain correctly the need of

 validateRequest="false" 
  enableEventValidation="false"

in page tag

For enableEventValidation="false"

Read the documentation.

EDIT: For security reasons, it's probably best to leave it set to true wherever you can.

I would therefore recommend that you set it to false only on the individual AJAX pages where it causes problems, while leaving it true in web.config.

For validateRequest="false"

The "benefit" is that you have more control over the input validation. If ValidateRequest = true and the input has invalid characters then an ugly error page is showed to the user.

Although a little old, here you have a MSDN post about "Prevent Cross-Site Scripting in ASP.NET"

I am assuming that you are asking for a valid scenario where I would set validateRequest="false" and/or enableEventValidation="false".

enableEventValidation="false" is typically required when you use java-script to manipulate server control generated html. For example, if server side drop-down control was bound to have three values say "A","B","C" then those are only values expected when post-back happens. But if you are doing client-side manipulation and hence introduce extra value "D" and select it then ASp.NET will raise event validation error. So we have to suppress it. Particularly, changing the drop-down value (without post-back) can be quite common - populating cities based on state selection etc

validateRequest="false" is needed when you want to allow user to enter character sequences those are deemed dangerous - e.g. <script>bla bla...</script> will raise request validation error but if you are developing a developer forum/QA site such as SO that allows to post the code then request validation has to be disabled.

The ValidateRequest setting examines user input for potentially harmful information. For example, if ValidateRequest is set to true and you enter some markup into an TextBox, the request validation will fail and the page will error out.

The EnableEventValidation setting determines whether postback and callback events should validate that a control event originated from the user interface that was rendered by the control. This is usually encountered when server-side events are triggered by the user through JavaScript, like calling the __doPostBack function for example.