Skip to content

adagents.json builder: legacy quick-add form still emits v2 shape + XSS on imported markup #4468

Description

@bokelley

Follow-up from PR #4464.

While reviewing #4464, the code-reviewer flagged a second, pre-existing code path in `server/public/adagents-builder.html` around lines 5402-5413 (the legacy "quick-add" form, separate from the main builder state):

  1. It reads/writes bare `property_ids` with `tag:`-prefix semantics and no `authorization_type` — same v3 invalidity that fix(admin): adagents.json builder always emits valid v3 authorization_type #4464 fixed in the main flow.
  2. It interpolates `agent.url`, `agent.authorized_for`, and property IDs straight into `innerHTML` with no `escapeHtml()`. The path consumes an `adagents.json` fetched by domain — a malicious file can XSS the admin user.

Work

  1. Decide whether the quick-add form is still needed (the main builder flow has eclipsed it).
  2. If kept: rewrite to use the v3 shape and route the output through `escapeHtml()` consistently.
  3. If retired: delete the legacy form.

Why

Pre-existing risk; pulled into focus by the v3 migration. Worth a dedicated PR rather than bundling into the v3-validity fix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingclaude-triagedIssue has been triaged by the Claude Code triage routine. Remove to re-triage.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions