Jenkins Help

In such places as project description, user description, view description, and build description, Jenkins allows users to enter some free-form text that describes something. This configuration determines how such free-form text is converted to HTML. By default, Jenkins treats the text as HTML and use it as-is unmodified (and this is default mainly because of the backward compatibility.)

While this is convenient and people often use it to load <iframe>, <script>. and so on to mash up data from other sources, this capability enables malicious users to mount XSS attacks. If the risk outweighs the benefit, install additional markup formatter plugins and use them.