Stored XSS in "product type" field executed via product filters

HI @judgeme! I found Stored XSS!) I Install judge.me in Shopify E-Commerce. Step to reproduce: 1. Log in to our shopify dev store and install "judgeme" app. 2. Create random product in our Shopify store (make it active) and insert XSS playload "><img src=x onerror=prompt(document.domain)> in "PRODUCT TYPE" field and SAVE {F1518888} 3. Then go to our judgeme app https://xxx.myshopify.com/admin/apps/judgeme/products. There is a filter field TYPE . Click on it and select our playload from the list {F1518897} 4. And it works ))) {F1518898} I attached video POC ## Impact Session Hijacking, Cookie Stealing.