ok, got two problems in one post here because they are both related to the image upload feature in Dynamic Registration.

First is the Event validation setting that is enabled in DNN 5.6.3 and up. This is an important security feature and should remain enabled, however the image upload feature of this module fails to work when it is.

You can see this error occur when you upload an image on the test form I created here on betasprings:

http://www.betasprings.com/DynRegis...fault.aspx

It is not appropriate to disable event validation so this should really be fixed in a proper way. To quote Microsoft: "This feature reduces the risk of unauthorized or malicious postback requests and callbacks. It is strongly recommended that you do not disable event validation."


The second issue I'm reporting is that the "AttachFiles" token doesn't appear to be working.

If you first disable event validation on the web.config on betasprings so that the test form linked above works, then you will be able to upload an image to it. If you also change the email completion event address to your own address, then you'll find the resulting email has no attachment.

So, those are the issues:
1.Form needs to work with event validation enabled
2.AttachFiles token doesn't attach image file


These issues may very well also occur in Dynamic forms. I suggest checking that module as well.

Actually.. there's something else odd with the image attachment field. I very often find that the form presents the field as an empty textbox with the Browse button alongside, and the "upload new file" link underneath.

I'm seeing this right now on the form I created on Betasprings. If a file is now selected via the browse button, it will not upload or update the image. The form shouldn't normally ever display like that. It should only ever display the browse box after the upload link has been clicked. This may very well be happening because the event validation issue breaks the process.

Regards
Rob

p.s.
DNN Wiki on event validation:
http://www.dotnetnuke.com/Resources...ation.aspx

Hi Rob,

Yes we are just now finding out about the event validation setting and issue and unfortunately for now and our modules this setting will need to be enabled... Although all issues in DNN were fixed, many module venders will need to research this further and play catch up... If this is truly as large of a security issue then I would have imagined they would have done it faster or went back to even the 4.x release for a fix, or microsoft would have not even allowed it as an option in the web.config. Moving forward though, we will be trying to adjust our code to include this feature that doesn't allow the post backs as described here... Unfortunately it might mean removing some features like preview for the image field type until we find another way to do it, we will see...

As far as the attach files feature... The feature is intended only for the file upload feature, we might later add features for the image upload option but I know for now this is only supported with files uploaded using the file upload type and not image upload which is a seperate field and seperate feature set.

Thanks!

Chad

Just to be clear as well... This is an issue that ASP.NET and Microsoft has added for "extra" security that really prevents many of the features of some modules (especially very dynamic ones) from working. Its actually a problem mentioned back in 2006 even here:

http://forums.asp.net/t/973410.aspx/1

So, although I am happy DNN has been able to resolve any issues, it will take some time for module developers to catch up to these changes and what is likely to happen is that we will need to mention that unless this is enabled several features of our module will not work properly.

Thanks,

Chad

Hi Chad,

Just a thought... I'm no developer, but I get the impression that the problem arises with ajax postbacks. If that's the case, then could the module perhaps optionally be set to do non-ajax postbacks instead when the image upload/preview feature is used?

I have several other modules that display a thumbnail upon upload whilst filling out a form, but they don't do so until the postback is complete (I can think of several from dignuke and Ventrian off the top of my head). That works fine and I'd be happy to go with that if it resolves the issue.

Ajax is handy, but personally, I've never minded waiting for postbacks as my server is fast enough and it's generally a more positive(definite/tangible) experience anyway.

In the meantime I'll do some more research and then make a decision on either disabling the preview or the event validation. It's not a showstopper either way.

Regards
Rob

Hi Rob,

Well actually my understanding is that its not just with AJAX postbacks... I say this because many of our file and image upload fields already don't work with AJAX postbacks at all. This is more to do with having dynamic fields running postbacks on the fly (from JavaScript) and since many of our fields ARE dynamic we would have to change some pretty major parts of our modules right now in order for this to work... We are still researching this but because our modules are so dynamic, this makes this much more difficult then an average module that doesn't have the same dynamic fields being rendered.

Thanks,

Chad

Just for reference, I have included other threads related to this:

Issue with Telerik images that are uploaded and other JavaScript that Telerik uses for postbacks:
http://www.dotnetnuke.com/Resources...posts.aspx

Not sure or not if this is the same issue but I think its related to this too:
http://www.mitchelsellers.com/blogs...rning.aspx

Thanks,

Chad

Here is another reference as well:
http://www.interactivewebs.com/blog...nn-errors/

According to that developer...
"Note: The above website mentions that this is “not ideal”. That is not really accurate. The change to the web.config for this has little to no effect on anything else at all."

I tend to agree with this actually... If this was REALLY a big deal it would not have been allowed since 2006. Basically what this does is doesn't allow dynamic modules that try and cause postbacks to occur.

Thanks,

-Chad

Just a few other references...

I noticed from another blog post we might be able to add this into our pages:
<%@ page enableeventvalidation="true" %> in a page.

Or
<%@ page enableeventvalidation="false" %> in a page.

I am not sure yet if this is a good work around... In other words I don't know if the setting is set to true in the web.config, if we can override this on the page level or not.

Otherwise, we will be forced to use the 4.0 framework here:
http://msdn.microsoft.com/en-us/lib...ation.aspx

But many of our customers are not yet running on the 4.0 framework so this will be some time before we can do this.


Thanks,

Chad

ah yep got it.
Oh well, do your best

That thing Mitchel is referring to is a different drama, and for some it'll be a serious problem. DNN 5.6.4 and 6.1.0 will actually modify one's existing content and remove anything it doesn't like (scripts, iframes) from text modules. I saw the issue in the release notes and made a build with the 'feature' disabled and have done my upgrade tests with that instead.

My own DNN instance is stuck in 5.6.3 limbo between a wide variety of bugs and issues. I have to keep moving forward because of module requirements, yet each release of DNN brings another avalanche of broken code. But that's a rant for elsewhere.
Regards
Rob

Hmm... Thanks for the update.

Yes, I do actually think 6.x is much more stable in a way (or seems very stable at least) then 5.x. We have been running on 06.02 and it seems to fix the majority of issues customers were having in different areas with our modules. Most of our customers having problems are on 5.6.3 and 6.1 at this point. We are still running some tests but it affects almost all of our modules so its not exactly an easy fix for because of a new release for our modules directly.

Thanks,

-Chad