h() or html_escape() not escape the single quote... risk

Andreas S. wrote:

<input type='hidden' value='<%= h(user_comment %>'>

Just don't, it's not correct HTML.

really -- i thought HTML 4.01 allows using either double or single quote?

perhaps, but if h() doesn't escape single quotes then you'd want to avoid using single quotes as the attribute value delimiter.