Dom Based Xss

Hi. found dom xss on this subdomain eng.uber.com. you are using a vulnerable plugin prettyPhoto.. This XSS will work in Firefox,Chrome - Google and IE last version ! And this is very dangerous! POC Firefox vector http://eng.uber.com/#prettyPhoto[i]/x,<svg/onload=alert(document.domain)>/x POC Google and IE http://eng.uber.com/#prettyPhoto[gallery]/1,<a onclick="alert(document.domain);">/ Add screenshot How to fix the vulnerability,upgrade the plugin or add the filter hashIndex = parseInt(hashIndex) hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[]()=>|\/])/g,'\$1');