Displaying 1 result from an estimated 1 matches for "malicious_cod".
Did you mean:
malicious_code
2006 Oct 01
0
Combine h() with text_field
...uld input
malicious script code into the text field which is then rendered in the
browser into the redisplayed form.
My question is: will this script be executed in the browser, given the
fact that it is put in a form field?
<form> <input type="text" value="<script>malicious_code</script> /> ...
</form>
I would guess: no.
The reason I ask is, because it seems impossible to escape this script
code with the h() function:
<%= h(text_field ''user'', ''name'')%> does not work. But if the script in
the form cannot be run...