Tuesday, March 24, 2009

Using AJAX CascadingDropDown Extender with Page.EnableEventValidation Set to True

Using the CascadingDropDown control extender that ships with the AJAX Control Toolkit requires that EnableEventValidation property of the Page containing the target DropDownList control be set to false.
However, this can potentially expose our page to a malicious attack, since nothing can then prevent "generated" post-backs.
A more elegant approach is creating a class that derives from DropDownList as follows:

public class NoValidationDropDownList : DropDownList
{ }

After the class has been created, all we need to do is replace the instances of the DropDownList class with respective instances of the NoValidationDropDownList class.

The reason why this works is simple: ASP.NET only validates controls that are marked with the SupportsEventValidation attribute. Since our class is not marked with this attribute, ASP.NET does not validate items on post-back and, consequently, no exception is thrown.

Cheers,
Kirill
Posted by at
Labels: , ,

9 comments:

  1. AnonymousJuly 10, 2009 at 12:45 PM

    How do you get AJAX to replace its use of the DropDownList class with your NoValidationDropDownlist class?

    ReplyDelete
  2. Todd TaylorAugust 12, 2009 at 9:20 PM

    Thanks for the tip! I haven't found any other ways to get the cascading dropdown lists to work w/o disabling the event validation.

    ReplyDelete
  3. HajoSeptember 4, 2009 at 12:47 AM

    You are my hero of this day!
    thanks

    ReplyDelete
  4. RafaMarch 15, 2010 at 6:39 AM

    it's imposible to instance that class from the designer code of the page...

    It's a .vb class?
    It's a user control?

    ReplyDelete
  5. AnonymousMarch 17, 2010 at 1:03 PM

    Please - Can you show some example code?
    Thanks!

    ReplyDelete
  6. AnonymousMarch 18, 2010 at 11:53 AM

    I got it.
    You must to instance all at codebehind, at put it in a PlaceHolder.

    Design:


    CodBehind...

    using AjaxControlToolkit;

    ...

    private NoValidationDropDownList nvddl1;
    private NoValidationDropDownList nvddl2;
    private AjaxControlToolkit.CascadingDropDown cdd1;
    private AjaxControlToolkit.CascadingDropDown cdd2;

    ....

    Page_Load:
    ...
    nvddl1 = new NoValidationDropDownList();
    nvddl1.ID = "nvddl1";
    ph1.Controls.Add(nvddl1);

    cdd1 = new CascadingDropDown();
    cdd1.ID = "cdd1";
    cdd1.TargetControlID = "nvddl1";
    cdd1.Category = "YourCat1";
    cdd1.ServicePath = "Your.asmx";
    cdd1.ServiceMethod = "YourMethod1";
    ph1.Controls.Add(cdd1);

    nvddl2 = new NoValidationDropDownList();
    nvddl2.ID = "nvddl2";
    ph1.Controls.Add(nvddl2);

    cdd2 = new CascadingDropDown();
    cdd2.ID = "cdd2";
    cdd2.TargetControlID = "nvddl2";
    cdd2.Category = "YourCat2";
    cdd2.ServicePath = "Your.asmx";
    cdd2.ServiceMethod = "YourMethod2";
    ph1.Controls.Add(cdd2);

    ReplyDelete
  7. AnonymousMarch 18, 2010 at 11:56 AM

    I forgot:
    cdd2.ParentControlID = "nvddl1";

    ReplyDelete
  8. Inventory POS SystemJanuary 22, 2011 at 1:57 AM

    I appreciate your post, thanks for sharing the post, i would like to hear more about this in future.

    ReplyDelete
  9. AnonymousNovember 23, 2015 at 6:13 AM

    Thankyou for your post. I too didn't like the idea of setting EnableEventValidation to false. Thanks again.

    ReplyDelete

Subscribe to: Post Comments (Atom)