Securing a rails app, blog comments?

You are correct - h() is not enough. Check out the excellent
White-listing plugin by Rick Olson at
http://weblog.techno-weenie.net/2006/9/3/white-listing-plugin-for-rails.

Hope this helps,
Zack