How to escape html?

Im using jQuery Markitup to allow users to input html... So they can input stuff like:

<h1>Foo</h1>
<p>Foobar</p>

However, I was watching http://railscasts.com/episodes/204-xss-protection-in-rails-3 and decided to try this piece of code into the input:

<script>alert('test');</script> 

To my amazement, when I submitted the form and refreshed the page, the alert box came out. This is a security r开发者_如何学Goisk!

This is what I have in my view:

<div><%= comment.description.html_safe %></div>

The above renders any html, but is also prone to xss. So I tried:

<div><%= html_safe(comment.description).html_safe %></div>

But the above does not render any html. It actually displays the html as text, which is not the desired behavior.

I need to render the html and at the same time protect myself from xss. How do I go about this?

Try

<%= sanitize(comment.description) %>

Update:

To remove ALL tags use strip_tags