Stored XSS on [your_zendesk].zendesk.com in Facebook Channel

I have found a stored XSS in the Facebook Channel options at ```https://[your_zendesk].zendesk.com/agent/admin/facebook/facebook_auth```. The XSS is a result of improperly escaping Facebook Page names. Steps to reproduce ------------------------- 1. Create a facebook page with the following title/page name: ```Foobar" onmouseover=location='javascript:alert\x28document.domain\x29'``` (I had to play around with this a bit to get it working correctly as Facebook has strict policies on the page name. If the page already exists, try to replace `Foobar` with any other random string) 2. Create your own zendesk account and then go to ```https://[your_zendesk].zendesk.com/agent/admin/facebook/facebook_auth``` to add a facebook page. 3. After adding the page created in Step 1, hover over the "Unlink" button to trigger the XSS. See also attached screenshot. Attack scenario -------------------- Obviously anyone with the permissions to add facebook pages can trigger this stored XSS and attack the admins with the usual XSS attacks.