POST-based XSS on apps.shopify.com

Hello Shopify team! I found a post-based XSS which may be shared to other users and occurs in firefox, IE, Edge. How to reproduce: 1. at partners.shopify.com go to apps -> choose one -> more actions -> create shopify app store listing 2. you will get redirected to url with ?signature parameter. Full copy whole URL. 3. as App name specify </script><svg onload=alert()> 4. in incognito tab open URL copied in step 2 5. click Preview changes How to fix: Sanitize parameters which are getting inserted in <script> tag. ## Impact POST-based XSS in firefox/ie/edge. probably safari too