<% ' !!! NEVER EVER INSERT A STRING INTO A HTML, JAVASCRIPT OR EVEN SQL CODE WITHOUT ESCAPING IT PROPERLY!!! ' HTMLescape : if the variable is to be showed on the page ' < %=HTMLescape( variable )% > ' TAGescape : if its used to set the value of a field ' ' JSescape : if it's used as a parameter to a JavaScript function ' ' URLescape : if it's to become part of a query string '