I've got a standard login form:
<% form_tag session_path do -%> <p><label for="login">Login</label><br/> <%= text_field_tag 'login', h(@login) %></p>
<p><label for="password">Password</label><br/> <%= password_field_tag 'password', nil %></p>
<p><%= submit_tag 'Log in' %></p> <% end -%>
I've included the @login variable in an html_escape, because I saw that if you enter /><iframe>... as login name, the error gets caught, but the form now is displayed with an iframe. So cross-site scripting wide open!
However, even with the h(@login), the iframe is still displayed, so it looks like my @login variable isn't escaped. Anyone knows of this problem?