This White Listing helper will html encode all tags and strip all attributes that aren’t specifically allowed. It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.

  <%= white_list @article.body %>

You can add or remove tags/attributes if you want to customize it a bit.

add table tags

  WhiteListHelper.tags += %w(table td th)

remove tags

  WhiteListHelper.tags -= %w(div span)

clear any attributes that are allowed for tags

  WhiteListHelper.attributes['a'] = []

allow a new attribute for the tag

  WhiteListHelper.attributes['img'] += %w(style)

add new tag with attributes

  WhiteListHelper.attributes['table'] = %w(cellpadding cellspacing)

change allowed attributes for all tags

  WhiteListHelper.attributes[nil] = %w(id class style)