Thanks for you quick response, Mark.
We didn't change the security settings – the current value for the markup formatter is "Safe HTML". The other available value is "Escaped HTML". I just changed the setting to Escaped HTML once and back to Safe HTML again to rule out a weird configuration bug, but I doubt that this is the reason.
I guess it's rather the security fix for the git plugin "Escape HTML generated into jelly pages with escape="true". The last version without this fix is 2.3.2; I'll see if I can install it to verify this.
It would be nice if the escaping could be done at a different level, i.e. before the jira-plugin has processed the message, or if it would use the "Safe HTML" formatter that would only remove potentially malicious tags like <script>.
|