h() or html_escape() not escape the single quote... risk

Andreas S. wrote:

<input type='hidden' value='<%= h(user_comment %>'>

Just don't, it's not correct HTML.

really -- i thought HTML 4.01 allows using either double or single
quote?

perhaps, but if h() doesn't escape single quotes then you'd want to
avoid using single quotes as the attribute value delimiter.