Page Comparison

The above example is suspect to cross-site scripting attacks. Whenever you output a variable in a template, you should consider whether that output should be html escaped.

The proper way to render the input field above is this:

<input type='text' name='address1' value='$i18n.escape($!form.address1)' />   <!-- this is safe. -->

The I18nWriter I18n object will escape any html properly to avoid attacks or page breakage.