how can I prevent "cross site scripting" messages?