RailsAdmin (aka rails_admin) prior to 1.4.3 and 2.x prior to 2.0.2 allows XSS via nested forms.
rails admin project rails admin