Don’t use strip_tags, strip_links and sanitize

Update: This is about earlier releases, Rails 2.0 provides a new sanitize method which uses a white list. Also, strip_tags and strip_links have been updated, the attack vectors below do not work anymore.
 
Rails includes several insecure text helpers, especially strip_tags, strip_links and sanitize. Do not rely on the these as they do not fulfill what the name promises. Here are two examples:
 
Note: the original attributes href and src were replaced by the blog software with xhref and xsrc in the following.

>> strip_tags("sdfasdf<<b>script>alert('hello')<</b>/script>")
=> "sdfasdf<script>alert('hello')</script>"

>> strip_links("<a xhref='http://www.holy-angel.com/'><a xhref='http://www.attacker.com/'>Test</a></a>")
=> "<a xhref='http://www.attacker.com/'>Test</a>"

I've posted a bug ticket at http://dev.rubyonrails.org/ticket/8864 which was followed by http://dev.rubyonrails.org/ticket/8877, but it won't be fixed until Rails 2.0, so I recommend to use Rick's white_list plugin to remove all but some safe tags.