.Net 4.5 supports ValidateRequestMode at the control level which is just fantastic and that works well with the built-in ScriptManager. If you swap the built-in ScriptManager for the ToolkitScriptManager things turn to custard.
Specifically if a less than (<) symbol is included in the control text the MicrosoftAjaxWebForms.js throws an error in the following snippet of code:
_endPostBack: function PageRequestManager$_endPostBack(error, executor, data) {
if (this._request === executor.get_webRequest()) {
this._processingRequest = false;
this._additionalInput = null;
this._request = null;
}
var eventArgs = new Sys.WebForms.EndRequestEventArgs(error, data ? data.dataItems : {}, executor);
Sys.Observer.raiseEvent(this, "endRequest", eventArgs);
if (error && !eventArgs.get_errorHandled()) {
throw error;
}
},
The problem is that the HttpRequestValidationException exception was thrown by the RequestValidator on the server ("A potentially dangerous Request.Form value was detected from the client...". I would normally expect this unless I set the control's ValidateRequestMode property to Disabled.
Attached is a very simple sample using the September 2012 release (build 60919) of the AjaxControlToolkit (binaries removed). To reproduce the issue spin up the site and click the "Try it" button. To see it working replace the ToolkitScriptManager with the built-in ScriptManager.
Issue has been reproduced with/without the AntiXssSanitizerProvider and with/without the System.Web.Security.AntiXss.AntiXssEncoder.
Comments: Just encountered this today with the January release as well. ``` [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$MainContentPlaceHolder$txtContentDisabled="<div>test</div>").] System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9664733 System.Web.<>c__DisplayClass5.<ValidateHttpValueCollection>b__3(String key, String value) +18 System.Web.HttpValueCollection.EnsureKeyValidated(String key) +9664149 System.Web.HttpValueCollection.GetValues(Int32 index) +29 System.Collections.Specialized.NameValueCollection.Add(NameValueCollection c) +84 System.Web.HttpRequest.FillInParamsCollection() +48 System.Web.HttpRequest.GetParams() +80 System.Web.HttpRequest.get_Params() +30 AjaxControlToolkit.ToolkitScriptManager.OutputCombinedScriptFile(HttpContext context) +48 AjaxControlToolkit.ToolkitScriptManager.OnInit(EventArgs e) +51 System.Web.UI.Control.InitRecursive(Control namingContainer) +134 System.Web.UI.Control.InitRecursive(Control namingContainer) +290 System.Web.UI.Control.InitRecursive(Control namingContainer) +290 System.Web.UI.Control.InitRecursive(Control namingContainer) +290 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6704 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +245 System.Web.UI.Page.ProcessRequest() +72 System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21 System.Web.UI.Page.ProcessRequest(HttpContext context) +58 ASP.test_validaterequestwithmaster_aspx.ProcessRequest(HttpContext context) in c:\Users\*\AppData\Local\Temp\Temporary ASP.NET Files\root\f82a0b43\4c12d22c\App_Web_cxsogiep.7.cs:0 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +341 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69 ```
Specifically if a less than (<) symbol is included in the control text the MicrosoftAjaxWebForms.js throws an error in the following snippet of code:
_endPostBack: function PageRequestManager$_endPostBack(error, executor, data) {
if (this._request === executor.get_webRequest()) {
this._processingRequest = false;
this._additionalInput = null;
this._request = null;
}
var eventArgs = new Sys.WebForms.EndRequestEventArgs(error, data ? data.dataItems : {}, executor);
Sys.Observer.raiseEvent(this, "endRequest", eventArgs);
if (error && !eventArgs.get_errorHandled()) {
throw error;
}
},
The problem is that the HttpRequestValidationException exception was thrown by the RequestValidator on the server ("A potentially dangerous Request.Form value was detected from the client...". I would normally expect this unless I set the control's ValidateRequestMode property to Disabled.
Attached is a very simple sample using the September 2012 release (build 60919) of the AjaxControlToolkit (binaries removed). To reproduce the issue spin up the site and click the "Try it" button. To see it working replace the ToolkitScriptManager with the built-in ScriptManager.
Issue has been reproduced with/without the AntiXssSanitizerProvider and with/without the System.Web.Security.AntiXss.AntiXssEncoder.
Comments: Just encountered this today with the January release as well. ``` [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ctl00$MainContentPlaceHolder$txtContentDisabled="<div>test</div>").] System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9664733 System.Web.<>c__DisplayClass5.<ValidateHttpValueCollection>b__3(String key, String value) +18 System.Web.HttpValueCollection.EnsureKeyValidated(String key) +9664149 System.Web.HttpValueCollection.GetValues(Int32 index) +29 System.Collections.Specialized.NameValueCollection.Add(NameValueCollection c) +84 System.Web.HttpRequest.FillInParamsCollection() +48 System.Web.HttpRequest.GetParams() +80 System.Web.HttpRequest.get_Params() +30 AjaxControlToolkit.ToolkitScriptManager.OutputCombinedScriptFile(HttpContext context) +48 AjaxControlToolkit.ToolkitScriptManager.OnInit(EventArgs e) +51 System.Web.UI.Control.InitRecursive(Control namingContainer) +134 System.Web.UI.Control.InitRecursive(Control namingContainer) +290 System.Web.UI.Control.InitRecursive(Control namingContainer) +290 System.Web.UI.Control.InitRecursive(Control namingContainer) +290 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6704 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +245 System.Web.UI.Page.ProcessRequest() +72 System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21 System.Web.UI.Page.ProcessRequest(HttpContext context) +58 ASP.test_validaterequestwithmaster_aspx.ProcessRequest(HttpContext context) in c:\Users\*\AppData\Local\Temp\Temporary ASP.NET Files\root\f82a0b43\4c12d22c\App_Web_cxsogiep.7.cs:0 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +341 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69 ```