YUI, Hpricot and security

I'm creating a site that involves a blog, using Rails 2.3.8. I've used the YUI Rich Text Editor to allow posts to be created (the blog is for a photo site so images have to be uploaded) and the SimpleEditor for posting comments.

In both cases, I'm using Hpricot to parse the html for index and show actions.

I'm concerned about security, as I cannot use h or sanitize on the output because if I do I lose the rich text functionality that the client wants. But of course that opens the site to attack.

I really need some server side validation. I found some old posts on this topic (2006) but the links were broken.

I'm sure other people have faced this problem before. Can anybody point me in the direction of something that can help me validate the html output so I can sleep better? thanks

Answering my own question. As security, in this case, involves the prevention of injected javascript from executing, I wrote a method to scan for 'script' tags.

def strip_script_tags( post)   if Nokogiri::HTML( post).css('script').empty?     return post   else     return '<strong><span style=\"color: #ff0000;\">Contents removed for security reasons!</span></strong>'   end end

So instead of h(post.post), I have strip_script_tags(post.post) which prevents any script tags from being presented to the browser but allows all the other rich goodness introduced by the YUI editor through.

(I changed to Nokogiri on the way)