.Net 4.5 supports ValidateRequestMode at the control level which is just fantastic and that works well with the built-in ScriptManager. If you swap the built-in ScriptManager for the ToolkitScriptManager things turn to custard.
Specifically if a less than (<) symbol is included in the control text the MicrosoftAjaxWebForms.js throws an error in the following snippet of code:
_endPostBack: function PageRequestManager$_endPostBack(error, executor, data) {
if (this._request === executor.get_webRequest()) {
this._processingRequest = false;
this._additionalInput = null;
this._request = null;
}
var eventArgs = new Sys.WebForms.EndRequestEventArgs(error, data ? data.dataItems : {}, executor);
Sys.Observer.raiseEvent(this, "endRequest", eventArgs);
if (error && !eventArgs.get_errorHandled()) {
throw error;
}
},
The problem is that the HttpRequestValidationException exception was thrown by the RequestValidator on the server ("A potentially dangerous Request.Form value was detected from the client...". I would normally expect this unless I set the control's ValidateRequestMode property to Disabled.
Attached is a very simple sample using the September 2012 release (build 60919) of the AjaxControlToolkit (binaries removed). To reproduce the issue spin up the site and click the "Try it" button. To see it working replace the ToolkitScriptManager with the built-in ScriptManager.
Issue has been reproduced with/without the AntiXssSanitizerProvider and with/without the System.Web.Security.AntiXss.AntiXssEncoder.
Specifically if a less than (<) symbol is included in the control text the MicrosoftAjaxWebForms.js throws an error in the following snippet of code:
_endPostBack: function PageRequestManager$_endPostBack(error, executor, data) {
if (this._request === executor.get_webRequest()) {
this._processingRequest = false;
this._additionalInput = null;
this._request = null;
}
var eventArgs = new Sys.WebForms.EndRequestEventArgs(error, data ? data.dataItems : {}, executor);
Sys.Observer.raiseEvent(this, "endRequest", eventArgs);
if (error && !eventArgs.get_errorHandled()) {
throw error;
}
},
The problem is that the HttpRequestValidationException exception was thrown by the RequestValidator on the server ("A potentially dangerous Request.Form value was detected from the client...". I would normally expect this unless I set the control's ValidateRequestMode property to Disabled.
Attached is a very simple sample using the September 2012 release (build 60919) of the AjaxControlToolkit (binaries removed). To reproduce the issue spin up the site and click the "Try it" button. To see it working replace the ToolkitScriptManager with the built-in ScriptManager.
Issue has been reproduced with/without the AntiXssSanitizerProvider and with/without the System.Web.Security.AntiXss.AntiXssEncoder.