If you have an ASP pages that display strings stored in the database fields, you should always process the strings with the Server.HTMLEncode method, otherwise the string won't be displayed correctly in the user's browser if it contains characters that have a special meaning to HTML, such as the quote ("), the less-than (<) and greater-than (>) symbols, the ampersand symbol (&), and any character whose ANSI code is larger than 127.
It is easy to hardcode these things into our ASP script, but if these characters exist in your database, you need to dynamically encode them. To do so, apply the HTMLEncode method to your recordset data before it is sent to the response object:
Other examples is:
sLink = "<a href="'http://www.printerspost.com.au'">Printers Post Australia</a>"
Response.Write "Not HTMLEncoded string: " & sLink & "<br/><br/>"
Response.Write "HTMLEncoded string:" & Server.HTMLEncode(sLink)