I''ve got a standard login form: <% form_tag session_path do -%> <p><label for="login">Login</label><br/> <%= text_field_tag ''login'', h(@login) %></p> <p><label for="password">Password</label><br/> <%= password_field_tag ''password'', nil %></p> <p><%= submit_tag ''Log in'' %></p> <% end -%> I''ve included the @login variable in an html_escape, because I saw that if you enter /><iframe>... as login name, the error gets caught, but the form now is displayed with an iframe. So cross-site scripting wide open! However, even with the h(@login), the iframe is still displayed, so it looks like my @login variable isn''t escaped. Anyone knows of this problem? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---