search for: malicious_code

...uld input malicious script code into the text field which is then rendered in the browser into the redisplayed form. My question is: will this script be executed in the browser, given the fact that it is put in a form field? <form> <input type="text" value="<script>malicious_code</script> /> ... </form> I would guess: no. The reason I ask is, because it seems impossible to escape this script code with the h() function: <%= h(text_field ''user'', ''name'')%> does not work. But if the script in the form cannot be run,...