Same problem here but solved! hopefully this is helpful. Solution was
to watch Ryan Bates Railscast on Rails 3 XSS, and then to ensure any
strings being sent out by my form and custom helpers was HTML Safe =>
Just look for where the helpers are rendering tags and string and add
the ".html_safe" method on the end.
Hope this is helpful