URL parameters like https://glamtools.toolforge.org/glamorous.php?username='><script>alert('XSS');</script> can be used to execute arbitrary JS.
Since I had not received an email response for T305764 either, I am reporting this to Phabricator as well.