Hi, I'm relatively new to Zope so I hope I haven't missed anything obvious. I'm building a small project manager for an intranet site. Normally I use MySQL to store data but this time I store the information in DTML Documents as the Guest book example. Text in the document and adding properties to the document. The information is added to Zope via an input form exactly as in the example. Then rendering the document with html_qoute so the cant sneak in html code. But it doesn't stop sneaking in DTML code as I found out when I tested. Ok maybe I missed something I thought, so I implemented the guest book from the Zope book. Still no protection against DTML code. I can get information form Zope and of course crash the guest book. I can easily change my project manager to add the text in a property so it wont render. Other suggestions? But I don't think an example in the Zope book should have this security issue. I hope I missed something. /Nocke