> > How about the belt and suspenders approach? > <%= h sanitize(todo.description) %> >
Is h not enough? If there is XSS stuff in the description, won't h just escape it so that the browser never executes it? Reinier _______________________________________________ Tracks-discuss mailing list [email protected] http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss
