As web developers, we all know the golden rule: “Never trust the user input”. If you are, then you are digging your own grave. At SupportBee we display tickets with HTML and CSS. Sanitization is essential in securing the site. Rails provides you with an action view helper: ActionView::Helpers::SanitizeHelper which you can use while outputting HTML. However, we use a whitelist based sanitization gem called Sanitize by Ryan Grove to get non lethal HTML output.
Sanitize allows you to whitelist protocols, HTML tags or even attributes of the elements. It is very powerful as it allows you to write custom transformers to further process the sanitized output. For example one can write a transformer to whitelist a youtube video as shown here by the author.
Have you done cool stuff with Sanitize transformers? Do let us know.