Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization
MarkdownBody, the shared component used to render every Markdown surface in the Paperclip UI (issue documents, issue comments, chat threads, approvals, agent details, export previews, etc.), passes urlTransform={(url) => url} to react-markdown. That override replaces react-markdown's built-in defaultUrlTransform — the library's only defense against javascript:/vbscript:/data: URL injection — with a no-op, and the custom a component then renders the unsanitized href directly. Any authenticated company member can plant text in …