Escape problem

[Jeff Epler]

The exact answer depends on what library you're using in your
application.

THe low-level answer is that you must properly escape characters that
would otherwise be treated specially by html.

For example, the output needs to look like this
    <FORM ...>
    <INPUT TYPE="text" NAME="something" VALUE="foo"bar&quot">
    ...
    </FORM>

If you do not escape or otherwise treat specially the " characters, the
resulting non-html output will contain something like
    <INPUT TYPE="text" NAME="something" VALUE="foo"bar"">

... this kind of bug can also lead to cross-site scripting (XSS) problems,
for instance if an attacker can control the string in question and sets
it to something like '"><SCRIPT>alert(document.cookie)</SCRIPT>'...

Jeff