Summary

When using "../" on description or comments the email notification shows "$attachmentsManager.inlineImages($textParagraph)".

Checking the logs we can see the following error:

Mail Queue Service [velocity] Found a potential path traversal attempt in the parameters: [<p style='margin-top:0;margin-bottom:10px;'>...\DB</p>] of method: inlineImages from object of class: com.atlassian.jira.mail.util.MailAttachmentsManagerImpl, rejecting due to security restrictions 

The behavior is seen as part of the change mentioned in our Jira 10 release notes. 

We're making steps towards verifiably secure installation directories for all Data Center products. These changes not only increase the difficulty for an attacker to exploit filesystem access but also allow customers to verify the state of the product installation.

Starting from Jira 10.0, all Velocity files stored on the filesystem (for example, shared, local home, or any other) will need to be explicitly allowlisted and must be of a specific file type. Files stored inside .jar files and bundled within plugins won't be affected.

In addition, all method invocations within a Velocity template must be explicitly allowlisted. For more information, visit Configuring the Velocity method allowlist and Configuring the Velocity file and file type allowlist.
For now, the Velocity method allowlist is in debug mode so that app developers can adjust to this mechanism and for us to complete the main allowlist and minimize the risk of issues. The debug mode will be disabled at the earliest in the upcoming Long Term Support release.

The above change was introduced to improve security.

However the error that is presented on the notifications is very misleading. 

This security restriction needs to be better treated and a different message or warning should be displayed on the notification.