Reflective Cross-site Scripting via Newsletter Form

*.myshopify.com is vulnerable to a reflective cross-site scripting attack in the newsletter form. This can be crafted to trigger on a page load without any further user interaction. The following example url shows this vulnerability: ``` https://testbuguser.myshopify.com/?contact[email]%20onfocus%3dblocked:alert(%27xss%27)%20autofocus%20a=a&form_type[a]aaa ``` This was tested on a newly registered store "testbuguser.myshopify.com" If you require any additional details, please do not hesitate to bump. ## Impact This attack could be leveraged to compromise administrative sessions or perform actions on behalf of users with the same level of privilege as the user.