From 00a6f5b601003acfb30f5d2d9f7907276f394be8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Sun, 6 Oct 2019 03:57:46 +0200
Subject: [PATCH] Remove `<%==` usage displaying settings

Using `<%==` is the same as using `raw`. I'm not sure if we meant
`sanitize` in this case, or it's just a typo. I'm assuming the latter
since we don't use anything similar in any other places.
---
 app/views/dashboard/mailing/new.html.erb |  2 +-
 app/views/dashboard/polls/index.html.erb |  2 +-
 app/views/dashboard/poster/new.html.erb  |  2 +-
 spec/features/xss_spec.rb                | 10 ++++++++++
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/views/dashboard/mailing/new.html.erb b/app/views/dashboard/mailing/new.html.erb
index 9cd2a34b5..1c24c2d91 100644
--- a/app/views/dashboard/mailing/new.html.erb
+++ b/app/views/dashboard/mailing/new.html.erb
@@ -1,7 +1,7 @@
 <% content_for :action_title, t("dashboard.mailing.new.title") %>
 <div class="row expanded">
   <div class="small-12 medium-9 column">
-    <%== Setting["proposals.email_description"] %>
+    <%= Setting["proposals.email_description"] %>
   </div>
 
   <%= render "mailing_options" %>
diff --git a/app/views/dashboard/polls/index.html.erb b/app/views/dashboard/polls/index.html.erb
index 031c0da4f..24c9fd82d 100644
--- a/app/views/dashboard/polls/index.html.erb
+++ b/app/views/dashboard/polls/index.html.erb
@@ -1,7 +1,7 @@
 <% content_for :action_title, t("dashboard.polls.index.title") %>
 <div class="row expanded">
   <div class="small-12 medium-9 column">
-    <%== Setting["proposals.poll_description"] %>
+    <%= Setting["proposals.poll_description"] %>
 
     <% if @polls.any? %>
       <div class="row expanded margin-top" data-equalizer="poll-cards" data-equalize-on="medium">
diff --git a/app/views/dashboard/poster/new.html.erb b/app/views/dashboard/poster/new.html.erb
index 893f05ff9..172b34f92 100644
--- a/app/views/dashboard/poster/new.html.erb
+++ b/app/views/dashboard/poster/new.html.erb
@@ -1,7 +1,7 @@
 <% content_for :action_title, t("dashboard.poster.new.title") %>
 <div class="row expanded">
   <div class="small-12 medium-9 column">
-    <%== Setting["proposals.poster_description"] %>
+    <%= Setting["proposals.poster_description"] %>
   </div>
 
   <%= render "poster_options" %>
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb
index adbd5b3b3..136f0e36a 100644
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -60,6 +60,16 @@ describe "Cross-Site Scripting protection", :js do
     expect(page.text).not_to be_empty
   end
 
+  scenario "poll description setting in dashboard" do
+    Setting["proposals.poll_description"] = attack_code
+    proposal = create(:proposal)
+
+    login_as(proposal.author)
+    visit proposal_dashboard_polls_path(proposal)
+
+    expect(page.text).not_to be_empty
+  end
+
   scenario "annotation context" do
     annotation = create(:legislation_annotation)
     annotation.update_column(:context, attack_code)