h() or html_escape() not escape the single quote... risk

Andreas S. wrote:

<input type='hidden' value='<%= h(user_comment %>'>

Just don't, it's not correct HTML.

really -- i thought HTML 4.01 allows using either double or single

perhaps, but if h() doesn't escape single quotes then you'd want to
avoid using single quotes as the attribute value delimiter.