I wanted to share my finding in regard to Stored XSS in Facebook.com.
First, I need to state that finding any Stored XSS problems in facebook.com is considerably rare.
1. I found another way to bypass the protection and, thus, alter the page title name via the Facebook Api for Updating Page Attributes (https://developers.facebook.com/docs/reference/api/page/#page_access_tokens).
2. In Facebook Pages, it’s possible add an application to your page by using the “Adding to a Page” box:
When a tab is added to your page, Facebook displays the pages you own or manage by their title. Because of that situation, I was able to execute a Stored XSS (Facebook did not filter the Page Title Name).
It appears only to be a Self-Stored XSS, even though Facebook Pages allow you to use the Admin Roles Setting to add more admins to your Page. In this case, I added the victim as the admin of my “malicious page.” There was no need for the victim to accept the admin request. It was simply added to my page automatically and I was able to exploit this XSS flaw by sending the victim a single link: