also, you can do script injection (evil laugh). Might wanna look into that bud. Yep, if I wanted to I could steal your session ID. use htmlspecialchars() to escape in php. also, you can take my forums down (labeled "cool site" and "NO INJECTION AWWWWWWWW"), they both have injections, one is a h1 element, the other is a script alerting that you can inject, just to show you the dangers of xss, both of them are persistent xss, meaning I can steal your session cookies (I won't, promise). PLEASE FIX THIS RIGHT NOW. Also, replying doesn't seem to work if it's your own post?