Say...any ideas on how to handle this Cross-Site scripting problem besides what CERT and Microsoft are advocating - turning off Active Scripting in your browser, or killing all special characters (%,&#039, &#062;, &#060;, etc) on all form submits with VBscript function?<BR><BR>For my biz, these two "solutions" are unacceptable. My users use language like 42% spent, or Steve&#039s Budget, etc. - they use % and single quote all the time.<BR><BR><BR>Anybody have a silver bullet to kill this beast?