diff --git a/app/controllers/status_messages_controller.rb b/app/controllers/status_messages_controller.rb
index 77a6b3e5a..ea1e56394 100644
--- a/app/controllers/status_messages_controller.rb
+++ b/app/controllers/status_messages_controller.rb
@@ -42,27 +42,14 @@ class StatusMessagesController < ApplicationController
       end
 
       respond_to do |format|
-        format.js { render :json => {:post_id => @status_message.id,
-                                     :html => render_to_string(
-                                       :partial => 'shared/stream_element',
-                                       :locals => {
-                                         :post => @status_message,
-                                         :person => @status_message.person,
-                                         :photos => @status_message.photos,
-                                         :comments => [],
-                                         :all_aspects => current_user.aspects,
-                                         :current_user => current_user
-                                       }
-                                     )
-        },
-                           :status => 201 }
+        format.js { render :create, :status => 201}
         format.html { redirect_to :back}
         format.mobile{ redirect_to :back}
       end
     else
       respond_to do |format|
         format.js { render :json =>{:errors =>   @status_message.errors.full_messages}, :status => 406 }
-        format.html {redirect_to :back} 
+        format.html {redirect_to :back}
       end
     end
   end
diff --git a/app/views/status_messages/create.js.erb b/app/views/status_messages/create.js.erb
new file mode 100644
index 000000000..8eac17206
--- /dev/null
+++ b/app/views/status_messages/create.js.erb
@@ -0,0 +1,11 @@
+<%= {:html =>  render(
+    :partial => 'shared/stream_element',
+    :locals => {
+      :post => @status_message,
+      :person => @status_message.person,
+      :photos => @status_message.photos,
+      :comments => [],
+      :all_aspects => current_user.aspects
+    }
+  ),
+  :post_id => @status_message.id}.to_json.html_safe%>
diff --git a/spec/controllers/status_messages_controller_spec.rb b/spec/controllers/status_messages_controller_spec.rb
index 77521f134..1299fcf7d 100644
--- a/spec/controllers/status_messages_controller_spec.rb
+++ b/spec/controllers/status_messages_controller_spec.rb
@@ -59,15 +59,29 @@ describe StatusMessagesController do
         },
       :aspect_ids => [@aspect1.id.to_s] }
     }
-    it 'responds to js requests' do
-      post :create, status_message_hash.merge(:format => 'js')
-      response.status.should == 201
+    context 'js requests' do
+      it 'responds' do
+        post :create, status_message_hash.merge(:format => 'js')
+        response.status.should == 201
+      end
+      it 'responds with json' do
+        post :create, status_message_hash.merge(:format => 'js')
+        json = JSON.parse(response.body)
+        json['post_id'].should_not be_nil
+        json['html'].should_not be_nil
+      end
+      it 'escapes XSS' do
+        xss = "<script> alert('hi browser') </script>"
+        post :create, status_message_hash.merge(:format => 'js', :message => xss)
+        json = JSON.parse(response.body)
+        json['html'].should_not =~ /<script>/
+      end
     end
 
     it "dispatches the post to the specified services" do
-      s1 = Services::Facebook.new 
+      s1 = Services::Facebook.new
       @user1.services << s1
-      @user1.services << Services::Twitter.new 
+      @user1.services << Services::Twitter.new
       status_message_hash[:services] = ['facebook']
       @user1.should_receive(:dispatch_post).with(anything(), hash_including(:services => [s1]))
       post :create, status_message_hash