11

Closed

The ToolkitScriptManager makes the new ASP.Net 4.5 request validation mode to “break”

description

The description of this new ASP.Net 4.5 feature can be find here : http://www.asp.net/vnext/overview/whitepapers/whats-new#_Toc318097379
It allows people to keep the ValidateRequest="true", even when working with "touchy" inputs.
Indeed, validation is deferred until you actually access request data, and you have the option to work with unvalidated field thanks to Request.Unvalidated (and then make your own validation for example)

But the ToolkitScriptManager controls is using the request.Params collection ( http://msdn.microsoft.com/en-us/library/system.web.httprequest.params.aspx ) in ToolkitScriptManager.cs line 302 and 303, which is causing every fields to be validated, and such killing the benefits of the new ASP.Net 4.5 request validation mode.
Indeed, when using request.Params, the following steps occur (based on Decompilation of System.Web.HttpContext) :
  • the getter calls the method System.Web.HttpRequest.GetParams()
  • If _params is null, GetParams() creates a new HttpValueCollection and then call System.Web.HttpRequest.FillInParamsCollection()
  • This method calls the Add(NameValueCollection c) method of _params with one by one the following NameValueCollections: QueryString, Form, Cookies and ServerVariables
  • When reading the source code of Add(NameValueCollection c), we can see that it basically consists of a loop iterating on the collection in order to copy every Name/Value to the new collection, which is causing the deferred request validation for every fields
My suggestion: make sure that request.Params is not used and use the correct collection instead (request.Form in this case)

Version of ACT used: AjaxControlToolkit 4.1.60623 (downloaded from the official nuget source)
Version of .NET used: .NET 4.5 RTM

Reproduction steps:
• Create a new ASP.Net Empty Web Application (.NET Framework 4.5)
• Install-Package AjaxControlToolkit
• Add the attribute requestValidationMode="4.5" to the httpRuntime element in web.config (not sure if this is required because the default setting seems to be 4.5. The documentation is not yet complete regarding that and I didn't took the time to check).
• Add new Default.aspx page
• Add one textbox with ValidateRequestMode="Disabled" on the page
• Add one button on the page (or anything that can fire a postback)
• Test the page with valid and invalid text => it works
• Add a ToolkitScriptManager on the page
• Test the page invalid text => HttpRequestValidationException raised in ToolkitScriptManager.cs OutputCombinedScriptFile(HttpContext context) method because of request.Params["…anykey…"] usage

file attachments

Closed Feb 11, 2013 at 5:35 PM by Superexpert
This issue is fixed in the January release.

comments

Benjiiim wrote Sep 29, 2012 at 5:44 PM

Unfortunately, the September 2012 Release of the Ajax Control Toolkit doesn't fix the problem.

Benjiiim wrote Jan 27, 2013 at 3:42 PM

Fixed in the January 2013 version.

Thanks!

RyanW wrote Feb 5, 2013 at 9:04 PM

Not fixed in January 2013 as far as I can see. Ran into this today.

RyanW wrote Feb 5, 2013 at 9:12 PM

I stand corrected, looks like I had the September version cached in /bin