Preventing XSS in a Rails app, accepted architecture?

I've read and understand the great ways Rails sanitizes data when going from server to client, but I have a question that I would love to get some guidance/input on.

Recently it was discovered there were a couple of places in our code that took user input (first_name, last_name) and created a javascript popup all on the client. You can see the issue where a user could potentially provide a name of <script>hello()</script>

Some developers are now discussing sanitizing all data and fields on form input, but I feel this is complete overkill since the problem is that we have client side vulnerablities with the popups, etc.

Does anyone out there actually sanitize values on form validation? Not only do I feel that this is overkill, it could lead to problems with data changing unexpectantly, etc.

What are your thoughts when architecting field persistance in a Rails app to prevent XSS?