release(v2.10.3): harden profile picture preview (blob URL validation + cleanup)

CHANGELOG.md

@@ -1,6 +1,12 @@
 # Changelog
 
-## Changes 12/19/2025 (v2.10.2)
+## Changes 12/19/2025 (v2.10.2 & v2.10.3)
+
+`release(v2.10.3): harden profile picture preview (blob URL validation + cleanup)`
+
+- Validate the generated ObjectURL is a `blob:` URL before assigning to the preview image.
+- Revoke the ObjectURL after the image loads to prevent memory leaks.
+- Keep the same user-facing behavior while tightening security hygiene and robustness.
 
 `release(v2.10.2): harden auth + remember-me rotation, user panel, and case-insensitive users`
 

public/js/userPanel.js

@@ -332,11 +332,13 @@ export async function openUserPanel() {
       const f = this.files[0];
       if (!f) return;
       // preview immediately
-      // #nosec
-      img.src = URL.createObjectURL(f);
       const blobUrl = URL.createObjectURL(f);
-      // use setAttribute + encodeURI to avoid “DOM text reinterpreted as HTML” alerts
-      img.setAttribute('src', encodeURI(blobUrl));
+      if (typeof blobUrl !== 'string' || !blobUrl.startsWith('blob:')) {
+        showToast(t('error_updating_picture'));
+        return;
+      }
+      img.src = blobUrl;
+      img.addEventListener('load', () => URL.revokeObjectURL(blobUrl), { once: true });
       // upload
       const fd = new FormData();
       fd.append('profile_picture', f);