YUI, Hpricot and security

I’m creating a site that involves a blog, using Rails 2.3.8.
I’ve used the YUI Rich Text Editor to allow posts to be created (the
blog is for a photo site so images have to be uploaded) and the
SimpleEditor for posting comments.

In both cases, I’m using Hpricot to parse the html for index and show
actions.

I’m concerned about security, as I cannot use h or sanitize on the
output because if I do I lose the rich text functionality that the
client wants. But of course that opens the site to attack.

I really need some server side validation. I found some old posts on
this topic (2006) but the links were broken.

I’m sure other people have faced this problem before. Can anybody
point me in the direction of something that can help me validate the
html output so I can sleep better?
thanks

Answering my own question.
As security, in this case, involves the prevention of injected
javascript from executing, I wrote a method to scan for ‘script’ tags.

def strip_script_tags( post)
if Nokogiri::HTML( post).css(‘script’).empty?
return post
else
return ‘<span style=“color: #ff0000;”>Contents removed
for security reasons!’
end
end

So instead of h(post.post), I have strip_script_tags(post.post) which
prevents any script tags from being presented to the browser but
allows all the other rich goodness introduced by the YUI editor
through.

(I changed to Nokogiri on the way)