The templating advice you’ve already got is excellent. And though I’m just guessing you’ve got the issue from your example, please also consider — http://yourapp/path?firstname=3Cscript%20src%3D%22%2F%2Fhaxed.hx%22%20%2F%3E. User data RFC:MUST never be reflected verbatim in a web application.