Comment 3 for bug 1717542

Here are more details from the auditing scan.

Details
URL encoded POST input next was set to /dashboard/9voye{{1==1}}cns7e.
The input was reflected inside an AngularJS template

POST /dashboard/auth/login/ HTTP/1.1
Content-Length: 227
Content-Type: application/x-www-form-urlencoded
Referer: https://10.3.199.109
Cookie: csrftoken=ULqDeIIm2VZnsOcUz5MdYityXbygIGJZ; token=; login_region="https://vCPEManager:5000/v3"; login_domain=
Host: 10.3.199.109
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
csrfmiddlewaretoken=ULqDeIIm2VZnsOcUz5MdYityXbygIGJZ&fake_email=sample%40email.tst&fake_password=g00dPa%24%24w0rD&next=/das
hboard/9voye{{1==1}}cns7e&password=g00dPa%24%24w0rD&region=https://vCPEManager:5000/v3&username=ktjeylhq