Advice on Rails sanitize() in the view or how secure is my code

I have a partial that contains this sanitize() code:

<%= sanitize comment.body,
:tags => %w(a b embed i img object p param),
:attributes => %w(allowfullscreen allowscriptaccess href name src type value) %>

I'd like users to be able to embed videos, links, pictures, use italics, bold, etc开发者_StackOverflow社区.

How unsafe is this and if I put this on a live website what should I expect or be prepared to deal with?

Note: this is assuming there is no sanitizing of input obviously.

Thanks for reading.

The tags you really have to watch out for is <script/> and <object/>.

If allowing videos, you should either validate against an acceptable object format that matches the expected values coming from YouTube and other systems OR (ideally) create a UI that handles the embedding for the user.

Last year I created a system that allowed video embedding by taking a YouTube URL and manually deriving the object embed code. It had the benefit of making the user experience pretty streamlined as well as protecting the system from a potential vector of attack.

Oh, and other thing - use strong an em, rather than b and i if you can.