Stored cross-site scripting in dataset owner.

Hi again. Another XSS this time. **Summary:** Unescaped chars in 'dataset owner' could be abused to store arbitrary javascript. **Description:** There is a 'dataset owner' field in new 'custom dataset dashboard' which contains unsanitized output. If attacker would modify his name, like first name '<img src=x' and last name 'onerror=alert(1)>', the field would hold a script. While for most users this is a case of self-xss, for enterprise users (for which, as i understand. this field was introduced in the first place), it can lead to executing arbitrary javascript. **Steps To Reproduce:** 1. Put the payload in name and/or surname *(first name '<img src=x' and last name 'onerror=alert(1)>')* 2. Navigate to custom datasets. **Test account information** [email protected] ## Impact Executing arbitrary javascript, stealing other users' algos as demonstrated in previous reports with XSS on quantopian domain.