@pharrington - thanks for the pointer on Hpricot/Nokogirl.  I'm familiar 
with Hpricot but will have to take a look at Nokogirl.

Aaron - Thanks.  I'll take a look at those.  Think I'm getting in over 
my head here, but should be fun times.

Fabian -

The whole point of the website is to allow third-party developers to 
display HTML inside of a little content area within the site.  (Not 
unlike certain large social networking site's Apps feature)

One approach I've seen is namespacing all css IDs with some kind of 
application id or something.

So,

$('#foo-alert').html('You just won a prize!');
...would have to become
$('#app_1234567_foo-alert').html('You just won a prize!');

If they broke out of their content area and started manipulating the DOM 
on other parts of the page, this wouldn't even be the end of the world. 
(they'd eventually get caught & banned)

I'm more concerned about malicious things they could do to the end-user, 
e.g. cookie theft.

It sounds like a whitelist is the reasonable approach here.

Cheers,
- Sean
-- 
Posted via http://www.ruby-forum.com/.