The main issue here is that <script> tags are allowed and are spit back onto the page which is bad. We should either scrub those client side or not allow them in server side and send an error back. I would prefer the server side since the error logic already exists.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: