||Rolling with Ruby on Rails, Part 2|
Thanks for a great article - the examples build one one another really well.
One point - as discussed in the security manual you reference, it is important to escape any content that the user has entered before displaying it. This is needed both to prevent page display being broken by user-entered HTML, and to prevent cross-site scripting attacks by user-entered script.
Fortunately this is easy to do: just use <%h= instead of <%= when displaying unsafe content.