diff --git a/app/views/dashboard/actions/new_request.html.erb b/app/views/dashboard/actions/new_request.html.erb
index 1b6fd3710..ba6486ce5 100644
--- a/app/views/dashboard/actions/new_request.html.erb
+++ b/app/views/dashboard/actions/new_request.html.erb
@@ -2,7 +2,7 @@
 
 <div class="row expanded">
   <div class="small-12 medium-8 column">
-    <%== dashboard_action.description %>
+    <%= WYSIWYGSanitizer.new.sanitize(dashboard_action.description) %>
     <%= render "dashboard/form" %>
   </div>
 
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb
index 136f0e36a..71447c976 100644
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -60,6 +60,16 @@ describe "Cross-Site Scripting protection", :js do
     expect(page.text).not_to be_empty
   end
 
+  scenario "new request for proposal action in dashboard" do
+    proposal = create(:proposal)
+    action = create(:dashboard_action, description: attack_code)
+
+    login_as(proposal.author)
+    visit new_request_proposal_dashboard_action_path(proposal, action)
+
+    expect(page.text).not_to be_empty
+  end
+
   scenario "poll description setting in dashboard" do
     Setting["proposals.poll_description"] = attack_code
     proposal = create(:proposal)