The description of this new ASP.Net 4.5 feature can be find here : http://www.asp.net/vnext/overview/whitepapers/whats-new#_Toc318097379
It allows people to keep the ValidateRequest="true", even when working with "touchy" inputs.
Indeed, validation is deferred until you actually access request data, and you have the option to work with unvalidated field thanks to Request.Unvalidated (and then make your own validation for example)
But the ToolkitScriptManager controls is using the request.Params collection ( http://msdn.microsoft.com/en-us/library/system.web.httprequest.params.aspx ) in ToolkitScriptManager.cs line 302 and 303, which is causing every fields to be validated, and such killing the benefits of the new ASP.Net 4.5 request validation mode.
Indeed, when using request.Params, the following steps occur (based on Decompilation of System.Web.HttpContext) :
- the getter calls the method System.Web.HttpRequest.GetParams()
- If _params is null, GetParams() creates a new HttpValueCollection and then call System.Web.HttpRequest.FillInParamsCollection()
- This method calls the Add(NameValueCollection c) method of _params with one by one the following NameValueCollections: QueryString, Form, Cookies and ServerVariables
- When reading the source code of Add(NameValueCollection c), we can see that it basically consists of a loop iterating on the collection in order to copy every Name/Value to the new collection, which is causing the deferred request validation for every fields
My suggestion: make sure that request.Params is not used and use the correct collection instead (request.Form in this case)
Version of ACT used: AjaxControlToolkit 4.1.60623 (downloaded from the official nuget source)
Version of .NET used: .NET 4.5 RTM
Reproduction steps:
• Create a new ASP.Net Empty Web Application (.NET Framework 4.5)
• Install-Package AjaxControlToolkit
• Add the attribute requestValidationMode="4.5" to the httpRuntime element in web.config (not sure if this is required because the default setting seems to be 4.5. The documentation is not yet complete regarding that and I didn't took the time to check).
• Add new Default.aspx page
• Add one textbox with ValidateRequestMode="Disabled" on the page
• Add one button on the page (or anything that can fire a postback)
• Test the page with valid and invalid text => it works
• Add a ToolkitScriptManager on the page
• Test the page invalid text => HttpRequestValidationException raised in ToolkitScriptManager.cs OutputCombinedScriptFile(HttpContext context) method because of request.Params["…anykey…"] usage
Comments: Not fixed in January 2013 as far as I can see. Ran into this today.
It allows people to keep the ValidateRequest="true", even when working with "touchy" inputs.
Indeed, validation is deferred until you actually access request data, and you have the option to work with unvalidated field thanks to Request.Unvalidated (and then make your own validation for example)
But the ToolkitScriptManager controls is using the request.Params collection ( http://msdn.microsoft.com/en-us/library/system.web.httprequest.params.aspx ) in ToolkitScriptManager.cs line 302 and 303, which is causing every fields to be validated, and such killing the benefits of the new ASP.Net 4.5 request validation mode.
Indeed, when using request.Params, the following steps occur (based on Decompilation of System.Web.HttpContext) :
- the getter calls the method System.Web.HttpRequest.GetParams()
- If _params is null, GetParams() creates a new HttpValueCollection and then call System.Web.HttpRequest.FillInParamsCollection()
- This method calls the Add(NameValueCollection c) method of _params with one by one the following NameValueCollections: QueryString, Form, Cookies and ServerVariables
- When reading the source code of Add(NameValueCollection c), we can see that it basically consists of a loop iterating on the collection in order to copy every Name/Value to the new collection, which is causing the deferred request validation for every fields
My suggestion: make sure that request.Params is not used and use the correct collection instead (request.Form in this case)
Version of ACT used: AjaxControlToolkit 4.1.60623 (downloaded from the official nuget source)
Version of .NET used: .NET 4.5 RTM
Reproduction steps:
• Create a new ASP.Net Empty Web Application (.NET Framework 4.5)
• Install-Package AjaxControlToolkit
• Add the attribute requestValidationMode="4.5" to the httpRuntime element in web.config (not sure if this is required because the default setting seems to be 4.5. The documentation is not yet complete regarding that and I didn't took the time to check).
• Add new Default.aspx page
• Add one textbox with ValidateRequestMode="Disabled" on the page
• Add one button on the page (or anything that can fire a postback)
• Test the page with valid and invalid text => it works
• Add a ToolkitScriptManager on the page
• Test the page invalid text => HttpRequestValidationException raised in ToolkitScriptManager.cs OutputCombinedScriptFile(HttpContext context) method because of request.Params["…anykey…"] usage
Comments: Not fixed in January 2013 as far as I can see. Ran into this today.