The "Internet Explorer MIME Sniffing Security Hole Workaround Policy" option available in JIRA's General Configuration page can be used to turn off rendering of inline attachment including images when set to "Secure: forced download of attachments for all browsers".

However it appears it's possible to escape this rendering setting for the inline image markup by using it with other wiki markup such as a pipe/quote/numbered/bulleted lists to the inline image markup.

Steps to reproduce

• Set "Internet Explorer MIME Sniffing Security Hole Workaround Policy" to "Secure: forced download of attachments for all browsers" in General Configurations.
• Try to render an image attachment inline using !image.png!
• Try adding a pipe in front of the markup as in |!image.png! as well.
• Try adding a pipe in front of the markup as in *!image.png! as well.
• Try adding a pipe in front of the markup as in #!image.png! as well.
• Try adding a pipe in front of the markup as in {quote}!image.png! {quote} as well.

Expected Behavior

• Image is not rendered in any of the above cases based on the setting

Actual behavior

• Image is rendered when markup is used along with the pipe/quote/numbered/bulleted lists etc.