Stored XSS on oslo.io in notifications via project name change

Hey Logitech team. ## Summary: It is possible for an editor on a project to rename a project to a malicious HTML element, which when opened in the notification dropdown will render and fire javascript. ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. Invite user to join the project and allow editor permissions. 1. As the editor account, click on any of the projects and click rename. Insert malicious HTML there. 1. Log in as the owner of the project directory and click on the notification bell on the top right. This will cause the XSS to fire. ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] _Fig 1: Inviting the editor to project_ {F1143360} _Fig 2: Notification Settings for Owner:_ {F1143367} _Fig 3: Editor Changing Project name to malicious object_ {F1143363} {F1143364} _Fig 4: Logging in as the owner again_ {F1143361} _Fig 5: Opening Notification Bell_ {F1143362} ## Impact The impact of this vulnerability is that users who are invited onto projects as an editor are able to inject malicious javascript such as keyloggers to escalate their privileges or perform actions as other users.