Haml's HTML escaping option was not on, leaving the site open for xss attacks. This would seem to fix it.