In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.
palantir apollo autopilot