From a user report, 'when editing foo. textboxBar allows special characters which produce a warning .net error on save '
textboxBar.Text is assign to an object and saved using nHibernate
<property name="TextboxBar" length="255" not-null="false" />
Thinking it may be nHibernate not escaping strings but can't find it in the docs.
Does nHibernate 1.2.0 automatically escape strings, link appreciated?
I doubt that it even needs to escape strings - I'd expect values to be passed in parameterised statements.
I strongly suspect this has nothing to do with nHibernate - I suspect this is just an ASP.NET error, although admittedly that's assuming that it's an ASP.NET application. If this is the case, you probably just want to turn off validation for that page.
See the ASP.NET FAQ page on validation for more details.
It's not entirely clear what the situation is from your question, or even if this is ASP.NET, but could the user have been referring to the "A potentially dangerous Request.Form value was detected from the client…" error message that ASP.NET generates?
If so, this error message is not related to NHibernate, but is related to fact that, by default, ASP.NET attempts to detect dangerous form inputs that might be a Cross Site Scripting attack attempt.
To fix this, you need to take responsibility for HTML encoding all of your outputs. If you are using web forms, you should add this page directive to your page...
<%@ Page ValidateRequest="false" ... %>
...and then make sure you validate the input yourself and/or are careful to always encode output when you include it in HTML later.
If you are using ASP.NET MVC, you do the same thing by adding the [ValidateInput] attribute to your controller action:
[AcceptVerbs(HttpVerbs.Post)]
[ValidateInput(false)]
public ActionResult Edit(...)
{
return View();
}