...
The app supports the injection of Javascript JavaScript in Jira pages via SQL output to create small and interactive GUIs with HTML. This is a very powerful feature indeed, but it is also risked because a malicious Jira user could run code on behalf of other users.
...
It is strongly recommended that trusted users sanitize the Jira users' texts displayed on the app like summaries, descriptions, comments, user propertiesetc. by using the built-in escape() function in SQL or its counterpart in Javascript. JavaScript or the htmltext() function to extract text from html.
I.e:
select key(issue) as "Issue", escape htmltext(summary(issue)) as "Summary" from JQL where query = ' reporter = currentUser() '
...