Form text field values are regularly displayed in the same form back to
the user after fe. the user made an error. The user could input
malicious script code into the text field which is then rendered in the
browser into the redisplayed form.
My question is: will this script be executed in the browser, given the
fact that it is put in a form field?
<form> <input type="text"
value="<script>malicious_code</script> /> ...
</form>
I would guess: no.
The reason I ask is, because it seems impossible to escape this script
code with the h() function:
<%= h(text_field ''user'', ''name'')%>
does not work. But if the script in
the form cannot be run, the use o f the h() will not be needed at all.
Regards,
Fino
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---
