Describe the bug
It's possible to execute JS on application context by modifying the "Relative Time Range"

To Reproduce
Access to a graphite-web instance (i.e. http://localhostdashboard/). You don't really need data in it.

• Go to http://localhost/dashboard/
• Click on "Relative Time Range"
• Enter in "Show the past":

<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">"

• Now there will always be XSS when you go to http://localhost/dashboard/
• It's connected with cookie ys-defaultGraphParams
• After performing all the actions, its value becomes:

s%3A%7B%22from%22%3A%22-2%3Cnoscript%3E%3Cp%20title%3D%5C%22%3C/noscript%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28%29%20onmouseover%3Dalert%28%29%3E%5C%22%3E%5C%22hours%22%2C%22until%22%3A%22now%22%2C%22width%22%3A400%2C%22height%22%3A250%7D
Expected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.

Screenshots

Environment (please complete the following information):

• OS flavor: Debian
• Graphite-web version [1.1.8-8]
• Django/Python version N/A but confirmed on 1.08-1.11/2.7, 2.1/3.6
• Setup type: docker

Additional context
Add any other context about the problem here.

Fixed in #2785