Remove <%== usage displaying settings

Using `<%==` is the same as using `raw`. I'm not sure if we meant
`sanitize` in this case, or it's just a typo. I'm assuming the latter
since we don't use anything similar in any other places.

app/views/dashboard/mailing/new.html.erb

@@ -1,7 +1,7 @@
 <% content_for :action_title, t("dashboard.mailing.new.title") %>
 <div class="row expanded">
   <div class="small-12 medium-9 column">
-    <%== Setting["proposals.email_description"] %>
+    <%= Setting["proposals.email_description"] %>
   </div>
 
   <%= render "mailing_options" %>

app/views/dashboard/polls/index.html.erb

@@ -1,7 +1,7 @@
 <% content_for :action_title, t("dashboard.polls.index.title") %>
 <div class="row expanded">
   <div class="small-12 medium-9 column">
-    <%== Setting["proposals.poll_description"] %>
+    <%= Setting["proposals.poll_description"] %>
 
     <% if @polls.any? %>
       <div class="row expanded margin-top" data-equalizer="poll-cards" data-equalize-on="medium">

app/views/dashboard/poster/new.html.erb

@@ -1,7 +1,7 @@
 <% content_for :action_title, t("dashboard.poster.new.title") %>
 <div class="row expanded">
   <div class="small-12 medium-9 column">
-    <%== Setting["proposals.poster_description"] %>
+    <%= Setting["proposals.poster_description"] %>
   </div>
 
   <%= render "poster_options" %>

spec/features/xss_spec.rb

@@ -60,6 +60,16 @@ describe "Cross-Site Scripting protection", :js do
     expect(page.text).not_to be_empty
   end
 
+  scenario "poll description setting in dashboard" do
+    Setting["proposals.poll_description"] = attack_code
+    proposal = create(:proposal)
+
+    login_as(proposal.author)
+    visit proposal_dashboard_polls_path(proposal)
+
+    expect(page.text).not_to be_empty
+  end
+
   scenario "annotation context" do
     annotation = create(:legislation_annotation)
     annotation.update_column(:context, attack_code)