- Search for a query that contains an html tag
- Either include the "?" to trigger quick answer automatically or click it manually
When searching for a query which contains some sort of html tags, the quick answer text can get really bugged out. I don't think it's an XSS vulnerability, but it's definitely not pleasant to get such a result.
Here's some example queries where I was able to get this:
https://kagi.com/search?q=what+is+%3Cscript%3Ealert%28%22test%22%29%3C%2Fscript%3E%3F
https://kagi.com/search?q=%3Csvg%3E+tag+not+found+at+t.value%3F
I expected a proper text block when reading the quick answer result, however the text was messed up by the html tags trying to be rendered.
