Background

Event validation is a useful protection that Microsoft added in asp.net 2.0 to protect against injection attacks via altered POST values. Unfortunately it was added very late in the cycle (between RC and RTM) and was effectively a breaking change for sites that used components that did not correctly register that they could invoke postbacks with asp.net.

At the time of release, DotNetNuke had a handful of items that did not work correctly with EnableEventValidation set to True (and additional one or two common Ajax frameworks also did not work as expected), so it was initially set to false. With the release of the 5.6.3 version of DotNetNuke, all these outstanding issues were reolved and the decision was made to update the web.config EnableEventValidation value to True as part of the upgrade to allow all sites to avail of this valuable security protection.

Potential problems

If you have a site that has a component that does not work with EventValidation, you will see an exception similar to this:

Invalid postback or callback argument. Event validation is enabled using <pages enableeventvalidation="true" /> in configuration or <%@ page enableeventvalidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.

If you see this error you can resolve it by setting EnableEventValidation to false in the web.config. However this is not ideal, as your site will not be availing of the useful functionality. As such we recommend you resolve the issue by reporting the problem to your vendor or by updating your own code – in each case additional code that uses RegisterForEventValidation will need to be added.