1

Minor XSS in family name (missing html escape)
Bugs Desktop Mobile Done

Ddavgi
May 21, 2024
Post #1 Tuesday, May 21, 2024 10:24 AM

Requirements: an account with a family plan

Click the "Add Member" button in Settings > Family members
Copy the kagi.com/join link
Modify the family name to "anything <s>"
Open the link (unauthenticated)
The page will have a manipulated DOM

Impact: minor.
The XSS <script> tag is blocked by the inline-src policy, but it can still be used to modify the DOM with other tags.

Here is an example screenshot with an inserted <u> tag:

The name should be sanitized and escaped instead.

Vlad added the Planned tag May 21, 2024.

Luis added the Next release tag and removed the Planned tag May 21, 2024.

Vlad added the Done tag and removed the Next release tag May 21, 2024.

No one is typing

Minor XSS in family name (missing html escape)

davgi

Requirements: an account with a family plan

Click the "Add Member" button in Settings > Family members
Copy the kagi.com/join link
Modify the family name to "anything <s>"
Open the link (unauthenticated)
The page will have a manipulated DOM

Impact: minor.
The XSS <script> tag is blocked by the inline-src policy, but it can still be used to modify the DOM with other tags.

Here is an example screenshot with an inserted <u> tag:

The name should be sanitized and escaped instead.