I have email template which I 'parse' and send (from current Lead form) as a parameter to new email form (from JavaScript).

var parameters = {};
parameters["subject"] = 'Subject name';
parameters["description"] = '<font face="Tahoma, Verdana, Arial" size=2 style="display:inline;"><br></font>';

Xrm.Utility.openEntityForm("email", null, parameters);

or

let serverUrl = "https://companyname.crm4.dynamics.com";

let extraqs = "subject=Subject name";
extraqs += '&description=<font face="Tahoma, Verdana, Arial" size=2 style="display:inline;"><br></font>';

let targetUrl = serverUrl.replace(/\/$/, "") + "/main.aspx?etn=email&pagetype=entityrecord&extraqs=" + encodeURIComponent(extraqs);
parent.open(targetUrl);

or

let serverUrl = "https://companyname.crm4.dynamics.com";

let extraqs = 'subject=' + encodeURIComponent('Subject name');
extraqs += '&description=' + encodeURIComponent('<font face="Tahoma, Verdana, Arial" size=2 style="display:inline;"><br></font>');

let targetUrl = serverUrl.replace(/\/$/, "") + "/main.aspx?etn=email&pagetype=entityrecord&extraqs=" + extraqs;
parent.open(targetUrl);

I get error every time I want to send anything look like as html tag (anything contains '<' or '>' sign).

Is it possible at all, to send my html markup trough the parameters, is there any security issue with this ?

This is solvable with encodeURIComponent / decodeURIComponent like this:

parameters["description"] = encodeURIComponent('<html here>');

And on the other side:

var description = decodeURIComponent(incomingParameterHere);

In this fashion your HTML passes through as a simple string. This can(should?) be applied to all strings being passed around via JS.

What I found what that for description to contain html tags it needs the pId and pType values defined (wonder if this is by design or a bug)

var entityFormOptions = {
    entityName: "email"
};

var emailFormParams = {
    subject: "subject",
    description:"<p1>html here</p1>",
    //sets the regarding - needed for description to be html
    pId:"{GUID}",
    pType:112 //objectTypeCode for the party
};

Xrm.Navigation.openForm(entityFormOptions, emailFormParams);