Same problem here but solved! hopefully this is helpful. Solution was to watch Ryan Bates Railscast on Rails 3 XSS, and then to ensure any strings being sent out by my form and custom helpers was HTML Safe => Just look for where the helpers are rendering tags and string and add the ".html_safe" method on the end.
Hope this is helpful