¨Web application must be programmed to carefully filter user-supplied data ¨Potentially damaging characters (such as ‘ ”   ` ; * % _  ) should be filtered at server side ¨World Wide Web Security FAQ  http://www.w3.org/Security/Faq/www-security-faq.html