On Wed, Oct 02, 2002 at 12:09:24AM +0100, Pedro Vale Lima wrote: > I ported a php board to quixote, mostly to learn how to use qx. > I guess it could be useful as a bigger demo or starting point > for a board program. You might want use html_quote and url_quote from quixote.html. In view.ptl you have: message = msg.message message = string.replace(message,"<","<") message = string.replace(message,">",">") Can message ever contain the '&' character? Elsewhere you have: "%s" % \ (msg.id,topic_id,start,msg.subject) First, '&' characters should be escaped. Next, if any of the format arguments can have '&', '<', or '>' characters then they should also be escaped. For example: url = 'view?message_id=%d&topic_id=%d&start=%s' % (msg.id, topic_id, url_quote(start)) '%s" % (html_quote(url), html_quote(msg.subject)) I think there are quite a few other places that you should use html_quote. Neil