In a project I am currently working on, I developed a custom web part that basically renders a form and submits the entered data into a SharePoint list. The problem I was having is that when the form button was clicked, I got the following error:
"Invalid postback or callback argument. Event validation is enabled
using <pages enableEventValidation="true"/> in configuration or <%@ Page
EnableEventValidation="true" %> in a page. For security purposes, this
feature verifies that arguments to postback or callback events originate
from the server control that originally rendered them. If the data is
valid and expected, use the
ClientScriptManager.RegisterForEventValidation method in order to
register the postback or callback data for validation."
This error message is related to a new security enhancement brought by ASP.NET 2.0 called EventValidation. If enabled (default value), this new feature ensures that ASP.NET will only allow the specific events that are raised on a given control during a postback or callback. The main purpose of this security validation is to reduce the risk of unauthorized postback requests and callbacks (more information on this here).
After some research on the Internet, two main approaches were given:
- Set the <pages EnableEventValidation="false" …/> in the web.config or at the page level – This is not a recommended approach due to the associated security risks, since event validation will not be performed and the risk of unauthorized postback requests and callbacks will increase.
- Use the Page.ClientScript.RegisterForEventValidation(ctrl. UniqueID) in the control – this approach will register the given control and its events for event validation. This seemed like a good approach since it would allow maintaining the event validation but it didn't solve the problem. Apparently, the internal variable _requestValueCollection of the Page class, is never initialized, so method EnsureEventValidationFieldLoaded will never load the dictionary with UniqueIDs and therefore cannot find the control which is authorized to make postback via RegisterForEventValidation.
After this, I tried a different approach, more successfully. The web part is included in the context of a SharePoint page layout. After analyzing this web page, I found out that it included two nested <form></form> elements. After removing these elements, the form submission started working properly.