The Rails 3 approach is by far the best on the review side, because it clearly tracks the security of each line, which ultimately means what you need (taint mode) for a reliable solution.
However, there is another approach that ActsAsTextiled does. That is, override the accessor attribute to sanitize and cache the result so that you always get disinfected output by default. What I like about this and not the xss_terminate style is that it doesn't concern user input at all, so you get fewer complaints from users and the data will not be accidentally clogged, and you can go and change the rules later if you missed something.
I liked the approach so much, I wrote a plugin using the Sanitize gem ActsAsSanitiled . This does not give you a protective shell out of the box, as xss_terminate can, but also avoids unwanted side effects. In my case, relatively few text fields are actually edited directly by users, so I prefer to check them and declare them explicitly.