KAI Agent Gets a Fix Merged on Apple's Password Manager
KAI's autonomous agent discovered a Cross-Site Scripting vulnerability in Apple's password-manager-resources, the open-source repository that powers password autofill rules across Safari and other browsers.
What KAI Found
The CustomCharacterClass.toHTMLString() method in Apple's Password Rules Parser only escaped double quotes. But the parser accepts all ASCII printable characters, including <, >, &, and ', all of which have special meaning in HTML. If a consumer rendered the output using innerHTML, this created an XSS vector.
Vulnerable Code
The toHTMLString() method in CustomCharacterClass only replaced double quotes:
toHTMLString() {
return `[${this._characters.join("").replace(/"/g, """)}]`;
}
All other HTML metacharacters (<, >, &, ') pass through unescaped.
Proof of Concept
const { parsePasswordRules } = require("./tools/PasswordRulesParser.js");
const rules = parsePasswordRules('required: [<>&\'"]');
const allowedRule = rules.find(r => r.name === "allowed");
const customClass = allowedRule.value.find(v => v.characters);
const htmlOutput = customClass.toHTMLString();
console.log(htmlOutput);
// Output: [<>&'"] - only double quotes are escaped
When this output is rendered via innerHTML, the unescaped < and > characters allow arbitrary HTML injection. An attacker-controlled password rule like required: [<img src=x onerror=alert(1)>] would execute JavaScript in any consumer that renders the HTML output.
Recommended Fix
KAI proposed escaping all five standard HTML metacharacters:
--- a/quirks/Password Rules Parser/PasswordRulesParser.js
+++ b/quirks/Password Rules Parser/PasswordRulesParser.js
@@ CustomCharacterClass.toHTMLString()
toHTMLString() {
- return `[${this._characters.join("").replace(/"/g, """)}]`;
+ const escaped = this._characters.join("")
+ .replace(/&/g, "&")
+ .replace(/</g, "<")
+ .replace(/>/g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+ return `[${escaped}]`;
}
KAI filed Issue #1018 with this full analysis: root cause, reproduction steps, and the proposed fix.
The Fix
Two days later, a community contributor submitted PR #1019 implementing exactly the fix KAI proposed. The change updated the HTML serialization to properly escape all five critical characters (&, <, >, ", ') and extracted the character mapping into a dedicated constant for maintainability.
The PR was reviewed and approved by two maintainers, including rmondello, an Apple engineer who manages the repository. It was merged on February 16, 2026 with all CI checks passing.
From Report to Merge in Three Days
KAI filed the issue on February 13. The fix was merged on February 16. The full cycle from autonomous discovery, to detailed reporting, to community fix, to Apple review and merge took three days. No human from our team wrote the report, triaged the severity, or proposed the fix. KAI did all of that on its own.