First sentence of sanitize() method doc says: "This sanitize helper
will html encode all tags and strip all attributes that aren't
But sanitize("<h1>foo</h1> <bar>should html encode</bar>") ==
"<h1>foo</h1> should html encode".
Shouldn't it html encode <bar> to <bar> ?