- 
    Suggestion 
- 
    Resolution: Fixed
- 
    None
- 
        1
- 
        
Problem
By default, Jira allows HTML in custom field descriptions and list item values. The configuration item that prevents this is in Jira Admin -> System -> Enable HTML in custom field descriptions and list item values, and is is Enabled by default.
Justification
This introduces scope for values to break the page in exciting ways - for example, adding <!-- break the rest of the page when the field is loaded. Actually, on Field Configuration and Custom Fields pages, this prevents the ability to edit to undo the breakage (aside from editing the database)
Some customers require this, but, we should encourage it's disablement. Disabling it by default would help.
Suggested Solution
Disable this option by default
from https://confluence.atlassian.com/jirasoftware/jira-software-8-7-x-upgrade-notes-987138245.html
... It will now be switched to OFF for new Jira installations and the upgraded ones that have never used it. ... We recommend that you keep this option disabled for security reasons.
- causes
- 
                    JRASERVER-70909 Disabling HTML renderer in custom field description breaks the system field description -         
- Closed
 
-         
- is related to
- 
                    JRASERVER-70877 Adding a description for the Attachments field from the field configuration, shows <p> tags in the create issue screen. -         
- Closed
 
-         
- 
                    JRASERVER-44458 Using JavaScript in description field should require explicit configuration - Closed
 
- relates to
- 
                    JSDSERVER-8446 Customfield description show <p> tag in bulk edit - detail screen -         
- Closed
 
-         
- 
                    JRASERVER-38866 Disallow HTML markup for select list custom field option values -         
- Closed
 
-         
- is caused by
- 
                    MNSTR-3355 Loading... 
- Wiki Page
- 
                    Wiki Page Loading...