enableEventValidation and validateRequest difference

What is the difference between enableEventValidation and validateRequest? Although the former is on postback/callback caused by a control (Server side only I assume? Please advise), the latter is on every request, which is caused by a control posting back anyway? Or would validateRequest kick in by a standard html link being cli开发者_如何转开发cked?

Thanks

According to MSDN

EnableEventValidation's definition: "Gets or sets a value indicating whether the page validates postback and callback events."

ValidateRequest's definition: "Gets or sets a value that determines whether ASP.NET examines input from the browser for dangerous values."

EnableEventValidation addresses tampering with expected control values. So, for example, if I send {1, 2, 3} as the values in a drop down and the post back contains 4, event validation fails. Someone added an unexpected value to the page. This is why EnableEventValidation does not play well with client-side script that adds new values to controls.

RequestValidate addresses dangerous values in the post back. For example, alert('injected'); is a dangerous value in a textbox.