URL parameters like https://usualsuspects.toolforge.org/?project=%27%3C/input%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E can be used to execute arbitrary JS.
Since I had not received an email response for T305764 either, I am reporting this to Phabricator as well.