A persistent cross site scripting flaw exists in user profiles when the user updates his/her Homepage URL from the Atlassian ID system to contain an XSS vector which executes when inserted as a link, and clicked on by the victim.

1. Visit https://id.atlassian.com/profile/
2. Update your Homepage URL to something like "javascript:alert(document.cookie);" and then submit the changes
3. Return to your profile on answer.atlassian.com and see reflected changes to Homepage URL on profile.

I have also emailed security@atlassian.com to inform them of unvalidated input on Atlassian's main profile system (id.atlassian.com) as I feel that by validating that a user indeed puts in a URL, will prevent flaws such as this one.