Form text field values are regularly displayed in the same form back to
the user after fe. the user made an error. The user could input
malicious script code into the text field which is then rendered in the
browser into the redisplayed form.
My question is: will this script be executed in the browser, given the
fact that it is put in a form field?
<input type="text" value="<script>malicious_code</script> /> ...
</form>
<p>I would guess: no.</p>
<p>The reason I ask is, because it seems impossible to escape this script<br>
code with the h() function:</p>
<p><%= h(text_field ‘user’, ‘name’)%> does not work. But if the script in<br>
the form cannot be run, the use o f the h() will not be needed at all.</p>
<p>Regards,</p>
<p>Fino</p>