Please login or <%= link_to 'create an account', :controller => 'user', :action => 'new' %>.<br />
<% form_tag :action => 'login' do %>
-<%= hidden_field_tag('referer', params[:referer]) %>
+<%= hidden_field_tag('referer', h(params[:referer])) %>
<table>
<tr><td>Email Address:</td><td><%= text_field('user', 'email',{:size => 50, :maxlength => 255}) %></td></tr>
<tr><td>Password:</td><td><%= password_field('user', 'password',{:size => 50, :maxlength => 255}) %></td></tr>