Don’t use strip_tags, strip_links and sanitize

Update: This is about earlier releases, Rails 2.0 provides a new sanitize method which uses a white list. Also, strip_tags and strip_links have been updated, the attack vectors below do not work anymore.
Rails includes several insecure text helpers, especially strip_tags, strip_links and sanitize. Do not rely on the these as they do not fulfill what the name promises. Here are two examples:
Note: the original attributes href and src were replaced by the blog software with xhref and xsrc in the following.

>> strip_tags("sdfasdf<<b>script>alert('hello')<</b>/script>")
=> "sdfasdf<script>alert('hello')</script>"

>> strip_links("<a xhref=''><a xhref=''>Test</a></a>")
=> "<a xhref=''>Test</a>"

I've posted a bug ticket at which was followed by, but it won't be fixed until Rails 2.0, so I recommend to use Rick's white_list plugin to remove all but some safe tags.