I received a couple of questions by private emails regarding my previous post about ValidateRequest. I believe it may be useful to post them (and the answers!) thus saving me from receiving the same question again J
Q: At which point does the framework call HttpRequest.ValidateInput (if it does so) to force validation on subsequent access to the collections?
A: Yes the fx will call HttpRequest.ValidateInput. This is done by the page parser when generating a new class based on the .aspx file; it overrides the TemplateControl.FrameworkInitialize method to add a call to HttpRequest.ValidateInput (along with other initialization code that exists since the 1.0 bits), i.e.:
[C#]
protected override void FrameworkInitialize()
{
// other init code goes here
this.Request.ValidateInput();
}
Q: Is a collection validated every time it is accessed? Is some caching being done to avoid this?
A: No. Any of the three guarded collections (Cookies, Form, QueryString) will be validated just once. After a collection passes validation, the correspondent bit flag indicating that validation is required (which was previously set by HttpRequest.ValidateInput) is cleared. Further accesses just return the collection without any validation.
Q: Can I force request validation to happen from inside my custom control no matter what value the page developer has set the ValidateRequest attribute to?
A: I believe the best you can do in this case is to call HttpRequest.ValidateInput as soon as possible from your custom control code, for example in your class ctor. This should enforce validation before any event handler coded by the page developer runs. Of course, the ctor for any other control which is located above yours in the control tree hierarchy could actually access these collections without any validation.
Last Wednesday Microsoft Argentina organized the MSDN Briefing, a big event, that was attended by more than 1000 local developers. They asked me to do a presentation about advanced ASP.NET programming. I wanted to talk about development of advanced custom controls (i.e. templating, databinding, complex designer support, etc) but I was not sure about the current number of developers that were doing this kind of stuff that may be interested in the talk. So risking myself to having just a few (or zero) attendees I decided to go with it anyway.
To my surprise it was one of the most attended talks (surpassing other “favourites” talks like the webservices one). During the two-hour talk I received lots of questions and a few complains (hey! I’m not from Microsoft! You should complain to them! J).
The questions were mainly basic ones; none of them were actually implementing complex designer stuff or developing controls that supported either templates or databinding. Just a few ones were actually beginning to explore these topics.
On the complain side, documentation (poor documentation, that is) was #1 by far. I told them I agreed with them, but I’m not sure if they really believed me (maybe it was the MS t-shirt that I received for the event…).
I brought with me NikhilKo’s book to recommend it. Almost none of them did know about it; I would imagine this is thanks to Microsoft Press (inexistent) presence outside of the states.
To summarize, it was great to met lots of developers working on such stuff and I just hoped that I helped to spread the custom controls love a bit… J
