When I try to register the application with description string that contains the ampersand the string cuts. When the ampersand is in the beginning of the string it even gives me the validation message that description is too short, and when it’s not it saves only the part of the string before ampersand. Here’s the video https://youtu.be/pMAcpFqcEy4
I don’t know exactly, but I think it can be because twitter doesn’t encode the string and ampersand separates the second part of the string to be parsed as another request parameter while passing it to the some API endpoint.
I don’t know for sure, it’s just a guess, but I think it can be a potential vulnerability, so I’ve decided to report about it