SPGridView, data and correct method of ensuring data is safe

Question

Hi,

I am using an SPGridView to present some data, and have enabled the filtering ability which works very well. Until you choose a particular item in the data to filter on...

The data item in question has an apostrophe in the string( e.g. "this is richards' string"), which causes the post-filter-application page load to die with the error:

Syntax error: Missing operand after 's' operator.

Obviously the data is not automatically made safe...

The data is in a datatable, and the SPGridView is fed using an objectdatasource using the datatable.

Whats the best, or correct, method to ensure the data is safe to use?

EDIT:

After much gnashing, I have found a partial answer but the question still remains.

The partial answer is - you can make the data safe for the filter code, but you then cannot make it look correct in the filter dropdown gui.

Adding BoundField.HtmlEncode = true; to the SPGridView definition does nothing.

Using HttpUtility.HtmlEncode on the string does nothing.

Manually replacing all apostrophes in the data with ampersand #39; on insertion into the DataTable allows the filter to work fine, and the data displays fine in the SPGridView, but it displays with the html replacement string in the filter dropdown, and not the apostrophe character. This is the partial solution, and isn't really usable as it creates a horrible filter string which is visible to the end user.

I am still to find a complete solution to this problem, save for removing offending characters from the data altogether, which isn't really a solution.

Regards Richard

Answer 1

The apostrophe is a special character in the filters. Try replacing all instances of the "'" (one apostrophe) with "''" (double apostrophe).

Edit 09/01/2009

Ok, so it took me a lot longer than I thought to actually get this working. You should just need to add this to your web part code:

protected override void OnPreRender(EventArgs e)
{
    if (!string.IsNullOrEmpty(gridDS.FilterExpression))
    {
        _gridDS.FilterExpression = string.Format(
            _grid.FilteredDataSourcePropertyFormat,
            _grid.FilterFieldValue.Replace("'", "''"),
            _grid.FilterFieldName
            );
    }

    base.OnPreRender(e);
}

Above, grid is your SPGridView and gridDS is of type ObjectDataSource which I believe is the only type that you will be able to get filtering to work with an SPGridView. Basically, I think what happens is that there is a bug in the Microsoft code and it doesn't really give you a chance to validate the filter value before it gets stuck in the FilterExpression. Using Reflector, I was able to figure out that the SPGridView really just sets the FilterExpression of your datasource. It does this using reflection and the value that you entered for your grid.FilteredDataSourcePropertyName property (I always see it being set to "FilterExpression" in all the examples).

Reference: http://www.reversealchemy.net/2009/05/24/building-a-spgridview-control-part-2-filtering/