security question - erb (erubis)

Hi,

I'm tinkering with the idea of providing a client of mine with the
ability to edit pages, using erb. I've setup a couple of nice helpers
and things actually work surprisingly well. I'm using render_to_string
mainly.

Questions:

Does this seem totally insane, even if my client and I are the only
onces editing the pages?

Is it possible to limit what classes and methods are called within a
template?

Does anyone know of a set of regexp's that would filter out nasty
things like bacticks etc.?

Thank you!

Matt