As discovered/reported by running a security scan with the Acunetix web vulnerability scanner on our internally hosted instance of Jira, the Marketplace plugin appears to disclose ASP.NET style server tags in the output HTML.

For example, <% if(closable){%> appears in the HTML for the following page:

https://<yourjiradomain>/plugins/servlet/upm/marketplace

The example above appears to be the result of code in a template, shown below:

<script type="text/x-template" id="upm-aui-message">
<div class="aui-message shadowed<% if (closeable)

{%> closeable<% }

%> <%= type %>">
<p class="title"><%= title %></p>
<span class="aui-icon aui-icon-small icon-<%= type %>"></span>
<% if (message)

{%> <p><%= message %></p> <% }

%>
<% if (closeable)

{ %> <span class="aui-icon icon-close" role="button" tabindex="0"></span> <% }

%>
</div>
</script>