Hello,
First sentence of sanitize() method doc says: "This sanitize helper will html encode all tags and strip all attributes that aren't specifically allowed."
But sanitize("<h1>foo</h1> <bar>should html encode</bar>") == "<h1>foo</h1> should html encode". Shouldn't it html encode <bar> to <bar> ?