HTML, without XSS scripting tags, can be passed to the browser from specific areas of the application. To prevent cross-site scripting security issues, each HTML submission is passed through a filter that detects scripting tags. Most CollabNet pages use this filter, so that all user-supplied HTML is escaped, except where it is explicitly allowed.
Allowed HTML is limited to the following subset of HTML tags: <!-- --> <A> <ABBR> <ACRONYM> <AREA> <B> <BASE> <BASEFONT> <BIG> <BDO> <BLINK> <BLOCKQUOTE> <BR> <CAPTION> <CENTER> <CITE> <CODE> <COL> <COLGROUP> <DD> <DEL> <DFN> <DIV> <DL> <DT> <EM> <FIELDSET> <FONT> <H1> <H2> <H3> <H4> <H5> <H6> <HR> <I> <IMG> <INS> <KBD> <LI> <LABEL> <LEGEND> <LINK> <MAP> <MENU> <MULTICOL> <NOBR> <NOFRAMES> <NOSCRIPT> <OL> <OPTGROUP> <P> <PARAM> <PRE> <Q> <S> <SAMP> <SMALL> <SPACER> <SPAN> <STRIKE> <STRONG> <STYLE> <SUB> <SUP> <TBODY> <TD> <TFOOT> <TH> <THEAD> <TR> <TT> <TABLE> <U> <UL> <VAR> <WBR>