Embedding strings in HTML used to be classified as ``mostly harmless,'' because the HTML generated will be displayed to the client, i.e. the attacker that originated the request. So normally, the only person that will get hurt is the attacker himself. However, that is not quite true.
XXX: Explain cross site scripting
The picture changes further with XML, which seems to become the data exchange format of choice of Web applications, and eCommerce in particular. If a client includes XML commands in a string, and these are embedded verbatim in an XML request, this can change the nature of the entire request.
To protect your application from attacks like this, you should make sure
that any input you receive from the client is sanitized before you embed
it in XML documents (but after any HTTP unquoting - see
section 7.6). The most common approach is to quote
the special characters <, > and & as <,
> and &, respectively.