So what happened is our looks something like this. I left off the other attribute–it’s no big deal; our variable (month) gets substituted into the string. So if: month=”November”, the string, “November” renders and we get a text box that looks like this–which is what we’d expect. But if (month) equals the string, foo–with a quote in it– and an angled bracket and some more text, the string we’ll render ends up looking something like this, where we substitute this variable into here because the value for (month) is actually this whole string– including the quote and the angled bracket, which screwed up our HTML. So our browser saw this– and it sees an and says: value equals “foo”; and then it sees a closing quote and a closing angled bracket, and it gets this other string, derp, and it just prints that. So that’s, obviously, not the behavior we want. The rendered HTML ends up looking– or in the browser–ends up looking something like this. You’ve got a text box with the word “foo” in it, and then it’s just a quote and an angled bracket, and the string, derp, just hanging out there and– you know–that’s not what we intended. And what’s really scary is this allows somebody who knows how our Web site works to not just enter random text, but what if they put HTML in our ? What if, instead of (derp) it was something better? Let’s look at that in our browser. So we’re going to enter our bad data again–and this time, we’re going to put HTML in there. Okay. So this time, I’ve put in a quote, an angled bracket–to close our tag, and then I’ve put some HTML–a line break and some bold text. And let’s see what happens now. Oh, man! We completely broke our form. You know–now we’re printing the bold text, “oh no!” and we add a line break and this allows a user to completely manipulate what our document looks like. So that is not something we want to allow. Let’s talk about how to fix this.