How to "sanitize" a link?

Hi, i wan't to permit users to send their own content, text, html, and stuff like that. It should also be permit them to send their own design, using div, span, internal style attributes and so on. Obviously i'd like to protect everything forbidding javascript, but permitting object and embedded (for youtube, gvideo, etc). From a previous post the suggestion was wonko/sanitize:

But i've not found time to try it yet. Btw, my question now is another, how can i remove external links, but keeping the text link and internal links? I mean, if a user insert "<a href="http://externaldomain.com">my site</a>" it should be sanitized to just "my site", instead if he insert "<a href="http://domain.com">read this page</a>" it should keep it as it is (domain.com is "whitelisted"). And it also should remove others like mailto:, ftp:, etc (just keep http and https) Any hint about this ? (considering the first lines about styles, and which sanitezer to use) thank you

Take a look at: Securing Rails Applications — Ruby on Rails Guides

and then look at what you're trying to provide.

Is it really worth the risk?

A compromise might be http://redcloth.org/ a Textile to Ruby module

even without Sanitizer, this seems fairly trivial:

irb(main):017:0> links = "<a href='http://FACE.com'>click here for your FACE</a><br /><a href='http://whitelisted.com'>this domain is allowed</a>" irb(main):018:0> allowed = "http://whitelisted.com" irb(main):019:0> doc = Hpricot links irb(main):020:0> (doc/"//a").each { |tag| tag.swap(tag.inner_text) unless tag[:href] == allowed } href="http://whitelisted.com"> "this domain is allowed" </a>}]> irb(main):021:0> doc.to_s => "click here for your FACE<br /><a href=\"http://whitelisted.com \">this domain is allowed</a>"