Requirements: an account with a family plan
- Click the "Add Member" button in Settings > Family members
- Copy the kagi.com/join link
- Modify the family name to "anything <s>"
- Open the link (unauthenticated)
- The page will have a manipulated DOM
Impact: minor.
The XSS <script> tag is blocked by the inline-src policy, but it can still be used to modify the DOM with other tags.
Here is an example screenshot with an inserted <u> tag:
The name should be sanitized and escaped instead.
