Zed Shaw wrote: > Yep, and there's even cross site scripting and lots of other stuff. I > tried the <%h= %> syntax to have the variables escaped, but that didn't > worked, it just produced empty results. Any advice on how to best do > this? I think you have to use <%= h ... %>