I'm glad to hear that sitefinity is following best practices, I would just like some reassurance. Our site has been subject to several injection attack attempts. our error log shows that the news page has been requested with injection query strings attached with malicious code. the response has been "invalid content id" but I'd like to make sure that sitefinity is not in any way accepting this code, because it doesn't throw an argument error, rather an invalid id error, which doesn't necessarily mean that it didn't execute the malicious code!
on all my custom modules, there are of course checks in place to filter malicious input, and I'm sure sitefinity would never overlook such a basic need, but I'd like to learn more about what is in place, especially since the news page always goes straight to an error state instead of showing some kind of error message. it would be great to mimic the "emptydatatemplate" of the gridview on the news and show a customizeable error message when news is not found or an error was encountered.