Hacker News new | comments | show | ask | jobs | submit login

You'd think. Rails 3 is supposed to handle this, Haml has that setting I enabled...

There are other ways to get XSS bugs than bad html escaping. For example, if you redirect to a user-provided location, they can inject javascript and/or http headers.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact