[hackideiomat]

Ha, exactly! They rarely fix bugs.

E.g., XSS / HTML injection in summarizer or discuss document. Or their broken CSP which allows injecting forms to e.g., change settings.

They haven't fixed many reported issues in a while, and just to prove I'm not lying: https://kagi.com/discussdoc?url=https%3A%2F%2Fkagi.com%2Fcha...

[tmikaeld]

While it doesn't look good, it doesn't inject or execute scripts.

Still, would have liked an official take on this. I was about to re-signup but now I'll hold off on that.

[hackideiomat]

Oh yes because of the CSP. The CSP that allows forms that can change your settings... you could easily use the above bug to get some impact with an additional click on a form's submit button.

Admittedly, no full XSS anymore, but still dangerous and shows their lack of understanding and caring about security.

It's not the only place you can inject HTML and not every page has a CSP...

[tmikaeld]

I don't get why they allow injection of irrelevant url parameters in the first place, it's the first rule of any input - remove what's not used and sanitize what is.