Form text field values are regularly displayed in the same form back to the user after fe. the user made an error. The user could input malicious script code into the text field which is then rendered in the browser into the redisplayed form. My question is: will this script be executed in the browser, given the fact that it is put in a form field? <form> <input type="text" value="<script>malicious_code</script> /> ... </form> I would guess: no. The reason I ask is, because it seems impossible to escape this script code with the h() function: <%= h(text_field ''user'', ''name'')%> does not work. But if the script in the form cannot be run, the use o f the h() will not be needed at all. Regards, Fino -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---