I’ve got a standard login form:
<% form_tag session_path do -%>
Login
<%= text_field_tag 'login', h(@login) %>
Password
<%= password_field_tag 'password', nil %>
<%= submit_tag 'Log in' %>
<% end -%>I’ve included the @login variable in an html_escape, because I saw
that if you enter />
However, even with the h(@login), the iframe is still displayed, so it
looks like my @login variable isn’t escaped. Anyone knows of this
problem?