The issue: Cross site scripting attacks caused by inproper escaping. Every user input may contain characters which will be interpreted by the displaying programm. Hallo Welt.'; echo $text; echo htmlentities( $text ); ?>]]> The solution: Use escape functions on output Remember, that database content may be user input to. Hint: Consider the context of output, or use a template system which automatically takes care of output escaping context = new ezcTemplateXhtmlContext(); $t = new ezcTemplate(); $t->process( "hello_world.ezt" ); ?>]]> In eZ Template variables are escaped according to the context of the output Hello world!'} {$myVar} ]]> To not escape the content of the var, you need to call raw explicitely Hello world!'} {raw $myVar} ]]>