Always (always, always, I'm not kidding) use htmlspecialchars(): echo htmlspecialchars($_POST['contact_list']);