You are correct - h() is not enough. Check out the excellent White-listing plugin by Rick Olson at http://weblog.techno-weenie.net/2006/9/3/white-listing-plugin-for-rails.
Hope this helps, Zack
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks