Category Archives: Xss


How to make AllowHtml work when the model is in a collection

I’m using ASP.NET MVC 4. I have a model that has more than ten properties; but only two properties have AllowHtml attributes. I just want these two properties to by-pass request validation check. I will sanitize them myself. But I want other properties to
be validated.

When I use this model one by one, I mean createupdate a single one then AllowHtml works. But there is a case where I have to make a batch update. In this case I bind a generic List<> object of this model. Unfortunately AllowHtml is ignored in this case.

I tried to figure out what was going on by adding a custom ModelBinder for the generic List object but I wasn’t successfull.

Does anyone have an idea on how to bind collections by also honoring the AllowHtml attribute on the model?

Thanks in advance

Hi kpaxco,

Base on my test in a MVC 4 project, it works fine.

Please create a new project and try again to check whether you could reproduce that issue.

This is my code below:

public class StudentInfo
        public string Name{get;set;}
        public string Description{get;set;}
  public ActionResult AllowHtmlTest()
        List<StudentInfo> ss=new List<StudentInfo>();
            for(int i=0;i<3;i++)
                StudentInfo s=new StudentInfo(){ Name="name"+i};
            return View(ss);
        public ActionResult AllowHtmlTest(List<StudentInfo> ss)
            return View(ss);
@model List<MvcDemo2.Models.StudentInfo>

    ViewBag.Title = "AllowHtmlTest";


        for(int i=0;i<Model.Count;i++)
             <div class="display-label">
                  @Html.LabelFor(model => Model[i].Name)
          <div class="display-label">
                  @Html.TextBoxFor(model => Model[i].Name)
          <div class="display-label">
                  @Html.LabelFor(model => Model[i].Description)
          <div class="display-label">
                  @Html.TextBoxFor(model => Model[i].Description)
       <input type="submit" value="submit" />

Please make sure the binding the correct name for each element. (E.g. [0].Name, [1].name)

If you still have the issue, please share the project on the OneDrive.

Best Regards

Starain Chen


Thanks for the reply. The thing is we don’t use Razor for the view. We use a Javascript library and our
action methods receive JSON-encoded data. We didn’t have any problems with structure until now.

I have also tried your example to see how the posted student list data is bound to
List<StudentInfo> parameter of the action and seen that it’s totally different from the JSON-encoded array

[0].Code    code0
[0].Description    <b>dddddddddddd</b>
[1].Code    code1
[1].Description    descr1
[2].Code    code2

JSON-encoded data:

ss    [{"Code":"code0","Description":"<b>dddddddddddd</b>"},{"Code":"code1","Description":"descr1"},{"Code":"code2"}]

If we move along with your example:

1. I can createupdate a single StudentInfo object honoring the AllowHtml attribute.

2. I can
createupdate multiple StudentInfo objects if I don’t write any Html content on Description property.

3. I can NOT
createupdate multiple StudentInfo objects if I write Html content
Description property. I get "A potentially dangerous Request.Form value was detected from the client" error. AllowHtml is NOT taken into account in this case.

don’t want to put ValidateInput(false) attribute on the action. I want all fields to be validated except two note fields.

in advance

Hi kpaxco,



Base on the this code, we can find that the format is incorrect. You are losing the prefix. (E.g. [0].Code)

If you still have the issue, please provide the detail code about how do you serialize the form data or simple project on the OneDrive which have that issue.

Best Regards



Thanks for the reply. But unfortunately we can not change the way that the form data is encoded to JSON. And if I’m not mistaken when people work with a Javascript UI library instead of Razor, this format of encoding is pretty common.

The format that we use worked without a problem until now. Hope that ASP.NET MVC will adjust to this type of JSON encoding (without the index prefix) soon.

Thanks again


Please provide the detail code.


I tried your scenario when i stringify and post the json it doesn’t work says server error.. at this point AllowHtml isn’t working

You might want to look at (following..)

ASP.NET Request Validation

The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (


 files and their class files) and only when those pages were executing.

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the 



<httpRuntime requestValidationMode="2.0" />

However, we recommend that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.

doesn’t work either.. have to see debug the source code.. didn’t know this could happen with AllowHtml


Hello ASP.NET Forums!!!! Once more, here I come to ask for your almighty help.  … :p  Hello!!! 

First of all, I am sorry if this goes to the HTML thread. I thought this was MVC’s because it’s a server-side problem. 

I have been learning about XSS (Cross-Site Scripting), HTML manipulation, and that I should treat my database as a fortress. Knowing that, I would like to know up to what level should I verify the user’s input. Let
me explain (please have some patience):

I’m doing a site that allows people to sell products to other people (clients) from a same repository. The vendor creates an account, and starts adding clients. Then, the vendor takes order from the client and process it through the application. 

Imagine I have the following Razor HTML:

        @foreach (var item in Model)

            <div class="Product-Box" data-list-id="@(i + 1)" id="line-@i">
                <div class="Product-Box-Left">
                    <div class="Circular" style="background: url(@HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Authority)@Href("~/Content/Images/Products/" + item.Products.ProductCode + ".jpg"))"></div>
                <div class="Product-Box-Center">
                    <span class="Product-Box-Center-Code">Code @item.Products.ProductCode</span>
                    <span class="Product-Box-Center-Name">@item.Products.ProductName</span>
                    <span class="Product-Box-Center-PV_BV text-center PV" data-pv="@item.Products.ProductDetails.PV">
                        <b>@((item.Products.ProductDetails.PV * item.Quantity).ToString())</b>
                    <span class="Product-Box-Center-PV_BV text-center BV" data-bv="@item.Products.ProductDetails.BV">
                        <b>@((item.Products.ProductDetails.BV * item.Quantity).ToString())</b>
                <div class="Product-Box-Right text-center">
                    <p class="Product-Box-Price">
                        <span class="price" data-price="@ViewBag.Prices[i]">@((ViewBag.Prices[i] * item.Quantity).ToString())</span>
                    <p class="">
                        Quantity <span data-qt="@item.Quantity">@item.Quantity</span>
                        <input type="number" class="Quantity hidden" onchange="ChangeQuantity(@i,this.value);" value="@item.Quantity" min="1">
                        <a href="javascript:DeleteItem(@i);" class="remove hidden">Remove</a>
                <input type="hidden" value="@item.ProductID" name="[@i].ProductID" data-val="true" data-val-required="The ScopeMode field is required." class="hiddenPI" />
                <input type="hidden" value="@item.Quantity" name="[@i].Quantity" class="hiddenQT" />
                <input type="hidden" value="@item.OrderModsID" name="[@i].OrderModsID" />
                <input type="hidden" value="@item.ClientID" name="[@i].ClientID" />


It’s a form that processes the client’s order. The problem is that the form has hidden inputs in which I store the client’s ID, and Product ID (which are direct references to rows in the database a.k.a Foreign Keys).  This means that when the form is submitted,
so those values. Henceforth inserting them into the database will do the work of DB normalization.  

Sensitive information like the Client’s ID, are subject to verification tests to see if the Client’s ID correspond to the vendor, otherwise it throws an error. But… should I do the same to the Product’s ID and other
inputs which do not carry "personal-sensitive" information? 

That’s what is haunting me. Allowing the attacker to change the Product’s ID and other hidden forms will not affect the application security wise, but it would disrupt application flow only to the attacker (yes, only to the attacker). Like for example, changing
the Product’s ID hidden input to a value that is offset from the database or that does not exist. 

I hope I was clear enough. Thanks a lot in advance!

In my opinion you can send your product ID via hidden input, just make sure you verify properly and use the @Html.AntiforgeryToken() to protect your form post. When you collect values in your controller. do a lot of verification on all inputs that is most

So, even if it couldn’t propose a security issue, should I verify it anyways? 

you should treat your controller actions as a public webapi, and supplied web pages just a handy tool to fill in the values for posting for novice users. so if product id are only valid by vendor, then you should validate the ids on the postback. you should
always validate on each request, the authenticated users access to key ids. 

if the client are tied to vendors then you should validate this relationship. you can often use database constraints for this.

if the client id is not a guid you should probably encrypt it before placing in a hidden field.

also assume someone has screen scraped your site, and is performing their own postbacks via their own application. there are generalized tools/websites for doing this.

Always verify and you can encrpt values in your hidden field which you would deencrypt when collecting in your controllers action method.

@Bruce: Thanks a lot. 

you should treat your controller actions as a public webapi, and supplied web pages just a handy tool to fill in the values for posting for novice users. so if product id are only valid by vendor, then you should validate the ids on the postback. you should always validate on each request, the authenticated users access to key ids. 

if the client are tied to vendors then you should validate this relationship. you can often use database constraints for this.

if the client id is not a guid you should probably encrypt it before placing in a hidden field.

also assume someone has screen scraped your site, and is performing their own postbacks via their own application. there are generalized tools/websites for doing this.

I didn’t know that web scrapping was the term applied for extracting information from a website. Thanks for letting me know that I need to check up the relationships between the clients and the users. I am already doing that, so it is good to know that I’m
on good track. What I didn’t catch is that if I need to verify if the product is indeed in the DB or not. 

And… YesI already have some helpers to help the user fill in the correct data. 

@skliz4rel: Thank you. I will be encrypting the information sent to the user, that way I can have a little bit more protection. Do you know which is the best method to do so?

Doing some quick Google yielded the following results, from StackOverflow: (Marked

But then, I read this:

Is this true for this occasion? Because I know that someone can spoof my connection, and can retrieve anything from the client side. 

Bwahahaha! Yes >:D (hahaha)

Thanks for teaching me the direction I should go. 

Reading this:

Sent me to these:

Which in other words, it means that yes, every data should be encrypted, and that should save me lots of problems. I will be only doing verification in the DB when sensible data matters (like Client and the vendor relationship, Order ID and the current vendor,
etc.).  Others I will not be doing them. 

Thank you all!!! :D :D 


Here we have the exact material:

public class StringProtector

    private const string Purpose = "Authentication Token";

    public string Protect(string unprotectedText)
        var unprotectedBytes = Encoding.UTF8.GetBytes(unprotectedText);
        var protectedBytes = MachineKey.Protect(unprotectedBytes, Purpose);
        var protectedText = Convert.ToBase64String(protectedBytes);
        return protectedText;

    public string Unprotect(string protectedText)
        var protectedBytes = Convert.FromBase64String(protectedText);
        var unprotectedBytes = MachineKey.Unprotect(protectedBytes, Purpose);
        var unprotectedText = Encoding.UTF8.GetString(unprotectedBytes);
        return unprotectedText;


Taken from:

And here is another help:

[RESOLVED]Risks of using Client side coding in ASP.NET

What the risks of using Client Side coding in ASP,NET, I mean by client side (HTML, Web API Storage, JavaScript and its libraries, JQuery
and its libraries, JSON … ). I read some articles talking about Security for Cross site scripting attacks(XSS), and Caching. ? So If there any other risks and how to cover/avoid them, I want to know. Thanks. 



IT should be enough for a start ;-) (security is a travel, rather than a destination)


So far as I know, the Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as SQL Injection and Cross Site Scripting. The patterns are regular expression-based and designed to efficiently
and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.

For more information, please refer to the link below:

Hope it’s useful for you.

Best Regards,

Michelle Ge


security is a travel, rather than a destination

well said .. :)

Installing AjaxToolKit Error: Parser Error Message: Unrecognized element 'sanitizer'.


New to AJAX – I’m trying to use the CascadingDropdown.  The AJAXToolKit is downloaded with NuGet.  It’s pulled into the toolbar in VS2010. 

At the top of my page is:

<%@ Page Title="" Language="VB" MasterPageFile="~/Masters/mstrIntranet.master" AutoEventWireup="false" 
     CodeFile="orderAdd.aspx.vb" Inherits="AddOrder" Debug="True" %>
<%@ Register TagPrefix="asp" Namespace="AjaxControlToolkit" Assembly="AjaxControlToolkit" %>
The page line shows an error "Unrecognized Element Sanitizer"
In the Web.Config is:
        <sectionGroup name="system.web">
            <section name="sanitizer"
    <appSettings />
 <compilation debug="true" strict="false" explicit="true" targetFramework="4.0">
        <add assembly="System.DirectoryServices, Version=, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
        <add assembly="System.Design, Version=, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
        <add assembly="System.Windows.Forms, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
        <sanitizer defaultProvider="AntiXssSanitizerProvider">
                <add name="AntiXssSanitizerProvider" type="AjaxControlToolkit.Sanitizer. 
This line: <sanitizer defaultProvider="AntiXssSanitizerProvider"> 
Shows an error: "The element compilation has an invalid child element 'sanitizer'."
On the web page is shows an error on the same line: Unrecognized element 'sanitizer'.



his line: <sanitizer defaultProvider="AntiXssSanitizerProvider"> 
Shows an error: "The element compilation has an invalid child element 'sanitizer'."
On the web page is shows an error on the same line: Unrecognized element 'sanitizer'.

I can’t reproduce this issue locally. Could you check when this configuration above is added in the web.config? As far as I know, when you are using AJAX CascadingDropdown control, this configuration is not needed. In order to resolve your issue, I would
suggest you comment out the corresponding configuration above at first. Then try to add the CascadingDropdown control as follows:

Best wishes, 

The <system.web> element section group definition isn’t valid because the system web section group uses a type, which means it has an explicit definition.  You can’t include your custom config section in the <system.web>; put it in your own sectionGroup
or at the root level instead.  You don’t need to define a sectionGroup type, but can just simply use a name to group your custom sections.

[RESOLVED]Html Ediro Extended Control


i inistall ajax toolkit control for 3.5 when i used Html Editor Control i got this error

Sanitizer provider is not configured in the web.config file. If you are using the HtmlEditorExtender with a public website then please configure a Sanitizer provider. Otherwise, set the EnableSanitization property to false.

any help


We strongly recommend that you do not use the HtmlEditorExtender on a public website without using the AntiXSS Sanitizer Provider. If you do not use the AntiXss Sanitizer Provider then your website will be open to Cross-Site Scripting (XSS) Attacks.       

        The AntiXSS Sanitizer Provider is included in the SanitizerProviders folder with the CodePlex release of the Ajax Control Toolkit. You need to add a reference to all three assemblies contained in the folder: SanitizerProviders.dll, AntiXSSLibrary.dll,
and         HtmlSanitizationLibrary.dll.      

        You must add the following configuration sections to your Web.config file to enable the provider:     

  <sectionGroup name="system.web">
        <section name="sanitizer"
        <compilation targetFramework="4.0" debug="true"/>
        <sanitizer defaultProvider="AntiXssSanitizerProvider">
                        <add name="AntiXssSanitizerProvider"

[RESOLVED]Force all links in Iframe to be open in new tab


I have a html file that contains some <a> tag with no target attribute define.

I have a iframe with following properties

<iframe id="ifr" runat="server" scrolling="yes" width="100%" frameborder="0" class="My_IFR" marginheight="0" marginwidth="0">

I am setting the src for iframe on gridview row click dynamically.

Can i do something so that <a> tag to be open in new tab.

I have html files in the same domain as the application.

You can set the target to _blank, depending on the browser you are using it should open in a new tab but some will open as a new window.

Hi @breath2k

I have no control over html file. i just have to show it in iframe. Can i do it by using jquery. I have search through the net all the day but no luck !!!

Does the a tag have any kind of class or id on it, if yes then you can use jQuery:

// if has an id

// if more than one with a class
$(".atagclass").each(function() {

Although not sure if it will change a tags within the iFrame until you test it.

If the iframe’s source is on a domain other than your own, there will be a case of cross-site scripting (XSS), which most (all?) browsers will block.
In that case the above javascript won’t work. Otherwise it should be fine.

Putting HTML into text control

We are creating an site to replace an old classic asp site. The users apparently added some html tags to the large text fields in the SQL Server database and when I try to edit them on a ListView I am getting an error message ‘A potentially dangerous
Request.Form value was detected from the client …’ and need to get around this somehow. When I looked at the database it has text like <ol><li>text</li></ol> in it. I hate to do a mass UPDATE as I am afraid it may not display correctly on the old classic
asp site. Any ideas? Thanks.



<httpRuntime requestValidationMode="2.0" />

in your webconfig. if you are setting this option ensure that you take steps to protect against genuine attacks.

Please refer the below link which dicuss a similar scenario and how to overcome it

How to Solve Potentially Dangerous Request Issue

Use HtmlEncode() on the value so they will display literally. I think that will work. 

How is that done on a ListView item? I currently have a TextBox with Text=’<%# Bind("FaqResponse") %>’

Use <%# Server.HTMLEncode(Bind("FaqResponse") %>. It will display the HTML encoded string in your text box.

I tried that and it displayed it ok but I am concerned that the user will understand what all of the &lt; or &gt; are and will be an issue. My thought was to do an SQL REPLACE() or something and use some alternate text. The good thing about the <li></li> thing
is that it gave them an automatic numbered list. They use this text field for instructions, etc. and I would like to allow them to have numbered paragraphs when the display the text in a Label control (which it does now) and also in a TextBox control when
they edit or insert rows.

First thing I would like to mention is that you should be (if you are not already) aware of the XSS (cross site scripting) risks involved. So if you don’t already know gather some basic information. Secondly microsoft do have an antiXSS library that you
should use. Download the library from the following link:

This library will give you many options to cleans your data so that request validation won’t fail.

I am really worried about allowing this in the new application. I don’t want more libraries, etc. and don’t have time to learn. I think I am just going to do an SQL REPLACE() on these nvarchar columns and let fail when someone tries to inject html characters…unless
you have a fool-proof method. Thanks.

That would be the best choice if you do not want to add anti XSS library. Request validation is there to protect you from XSS, and you need other libraries only when you decide to allow seemingly malicious data to enter into your system (by turning off request


There are quite a few problems that really need to be resolved with the HTML editor Extender.

 It loses the tags and attributes on postback, rendering the TextBox.Text property completely useless. 

 To retain all changes made, I had to make a hidden TextBox (display:none) to save the actual HTML data from the "ctl00_ContentPlaceHolder1_TextBoxID_HtmlEditorExtender_ExtenderContentEditable"
<div> using the onclientclick of the button using the below Javascript Function.

function saveValues() {
        document.getElementById('<%=contentHolder.ClientID%>').value = document.getElementById('ctl00_ContentPlaceHolder1_footer_HtmlEditorExtender_ExtenderContentEditable').innerHTML;

Which finding the div that actually stores the data wasn’t so easy then on post back I have to:

<script type ="text/javascript">
    var restored = false;
    $(document).ready(function () {
        // For HtmlEditorExtender Postback Image problem
        setInterval(function () {

            if (!restored) {

                try {
                    if (document.getElementById('ctl00_ContentPlaceHolder1_footer_HtmlEditorExtender_ExtenderContentEditable').innerHTML != document.getElementById('<%=contentHolder.ClientID%>').value) {

                        document.getElementById('ctl00_ContentPlaceHolder1_footer_HtmlEditorExtender_ExtenderContentEditable').innerHTML = document.getElementById('<%=contentHolder.ClientID%>').value;

                    } else {
                        restored = true;
                } catch (err) {

        }, 50);


  You would think

<script type ="text/javascript">
    var restored = false;
    $(document).ready(function () {

          document.getElementById('ctl00_ContentPlaceHolder1_footer_HtmlEditorExtender_ExtenderContentEditable').innerHTML = document.getElementById('<%=contentHolder.ClientID%>').value;


would  be enough, but apparently it doesn’t populate the <div> when the document is ready so you have to keep re-checking to see if it took the value.

I’m sure some of you must be saying "Well why doesn’t he use Server.HtmlDecode(TextBox.Text)?" Well the problem with that is that the Extender Removes the
<br/>‘s, the <img size parameters and who knows what else(I wasn’t willing to find out how big the mess could get).

The older version was lacking in some of the features that this one has but the MESS involved leaves much to be desired.

Don’t get me wrong the extender is GREAT! I greatly appreciate that someone took their time to write this library to make my life easier but one must bear in mind that end users are the ones who will end up using these controls. One slight oversight could
make the programmer using the library look REALLY BAD because to the end user the bug is the application developers fault.

To end users a library is a place where you keep books, lol.

[RESOLVED]VS 2010 versions and performance

Hi all,

I recently joined the amzing Websitespark and got hold of VS2010 professional edition. I have problems downloading the ISO file (it’s 2+ GB) and I am currently using an old laptop. Hence, I have a question regarding performance and more.

For the moment, I only develop web sites (as opposed to winforms projects). Therefore, I’m using VWD 2008 Express Edition. This works fine on my laptop and its features are great. The most important thing I miss is a Sql injection/XSS checking software,
and in the Security forum I learned that the VS 2008 Professional Edition can use CAT.Net to run these checks.

So, the question I’m facing is this (or so I believe): Can VWD Express 2010 run CAT.Net, or, alternatively, has MS come to their senses and added security features to the Express editions? If not (or perhaps anyway): Should I go through the trouble of installing
VS Professional Edition 2010? From what I’ve seen advertised, the differences between 2008 and 2010 editions are not substantial, and it uses a lot more resources than the old versions, I’m afraid I can’t run it. Also, I guess that the new versions (professional
and express) might use the same amount of resources, and that the express edition is just stripped of some features (correct?).

Any help would be greatly appreciated!



I think all will be work normal.


By this I guess you mean that the new versions aren’t heavier on the computer than the previous versions. Therefore, I’ll try to continue my interrupted download…

Thanks again,



VS2008 minimum hardware requirements:

Minimum: 1.6 GHz CPU, 384 MB RAM, 1024×768 display, 5400 RPM hard disk

VS2010 minimum hardware requirements:

Minimum: 1.6 GHz CPU, 1GB RAM for x86   * 2 GB RAM for x64 , 1024×768 display, 5400 RPM hard disk

As you can see,VS2010 consumes much more from the memory than VS2008..about 2.5 times more.

I’m using VS2010 Ultimate and when I open my project (medium size project),it consumes about 600MB….without running the website.

Anyway it’s worth it,VS2010 Ultimate is much advanced than VS2008 with many cool features (i.e. there is a built-in code analysis), 2.0 is still beta (it supports vs2010) but the final version will be launched very soon.

<div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">Computer that has a 1.6 GHz or faster processor </div> <div style="position: absolute; left: -10000px; top: 0px; width:
1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">RAM : * 1 GB RAM for x86   * 2 GB RAM for x64 </div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">An
additional 512 MB RAM if Visual Studio is running in a Virtual Machine</div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">3 GB of available hard-disk space </div>
<div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">5400 RPM hard disk </div> <div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x:
hidden; overflow-y: hidden;" id="_mcePaste">DirectX 9-capable video card running at 1024 x 768 or higher display resolution </div>


Thanks so much for your informative reply!

Yes, I’ve seen the specs before, but they don’t usually mean that much in the real world. I can confirm that when I work with VWD Express 2008 I get just over 200 MB consumed ram.  I can live with 2.5 times that figure (I just Installed another 1 GB of RAM)
– it’s mostly speed (CPU) that this computer won’t handle.

Thanks again. I guess that this is important info for many users.