I´ve gone through Skillbuilder Is your Jira Instance secure (for server/DC), and in that skillbuilder the underestimated risk due to javascript (based on activation of HTML) is discussed. 

In server/DC Jira Admin may turn off (in General Configuration) Enable HTML in project description and Enable HTML in custom field descriptions and list item values. I have now looked for the same configuration options in Cloud, but cannot find any.

So, my question is really this: Is there not a potential for HTML/JavaScript and WebSudo session threat in Cloud? And if no, how has this been solved in cloud? And if there is a potential threat, how can I as a Jira admin secure my instance against these potential threats, as I cannot adjust settings anywhere?