Skip to content

Fix/avatar url validation#268

Merged
Mosas2000 merged 31 commits intomainfrom
fix/avatar-url-validation
Mar 14, 2026
Merged

Fix/avatar url validation#268
Mosas2000 merged 31 commits intomainfrom
fix/avatar-url-validation

Conversation

@Mosas2000
Copy link
Copy Markdown
Owner

@Mosas2000 Mosas2000 commented Mar 14, 2026

Closes #237

Mosas2000 added 30 commits March 14, 2026 10:18
@Mosas2000
feat: add isValidAvatarUrl helper function
52ee9a4 
Validates that avatar URLs use the https: protocol. Uses the URL
constructor to parse the input, which also rejects malformed URLs.

Refs #237
@Mosas2000
fix: only render avatar preview for valid https URLs
893740b 
The preview image is now only shown when the URL passes validation.
This prevents rendering tracking pixels, data: URIs, and other
potentially malicious content.

Closes #237
@Mosas2000
feat: show validation message for non-HTTPS avatar URLs
33751ee 
When the user enters a URL that does not use https://, a red
message appears below the input explaining the requirement.
@Mosas2000
fix: reject non-HTTPS avatar URLs on form submission
5d67c9b 
The validateForm function now checks the avatar URL protocol before
allowing a save. This is a defense-in-depth measure alongside the
preview validation.
@Mosas2000
refactor: import ImageOff icon for placeholder avatar
8d537ff
@Mosas2000
feat: show placeholder icon when avatar URL is invalid
c37d8a6 
Replaces the plain text message with a styled placeholder that
mirrors the valid preview layout, making the invalid state
visually consistent.
@Mosas2000
fix: add referrerPolicy=no-referrer to avatar preview
56f5478 
Prevents the browser from sending a Referer header when loading the
avatar image. This reduces information leakage to external image
hosts.
@Mosas2000
fix: add crossOrigin=anonymous to avatar preview
b29125b 
Ensures the image request does not include cookies or credentials,
further limiting the data exposed to external hosts.
@Mosas2000
perf: add loading=lazy to avatar preview image
8c3c9d8
@Mosas2000
test: add data-testid to avatar preview for test assertions
00b790c
@Mosas2000
test: add data-testid to invalid avatar indicator
bfbdf93
@Mosas2000
a11y: link avatar input to validation error via aria-describedby
8dba871
@Mosas2000
a11y: add id and role=alert to avatar validation error
58f1729
@Mosas2000
feat: highlight avatar input border red when URL is invalid
d7d0f79 
Provides immediate visual feedback that the entered URL does not
pass validation, consistent with how other form fields handle errors.
@Mosas2000
docs: add JSDoc to isValidAvatarUrl
6dcc012
@Mosas2000
test: add data-testid to display name input
a915995
@Mosas2000
test: add data-testid to bio textarea
918ccab
@Mosas2000
test: add data-testid to avatar URL input
80e0d5c
@Mosas2000
test: add data-testid to profile save button
304b933
@Mosas2000
chore: verify display name has aria-required
def5e0c
@Mosas2000
fix: disable save button when avatar URL is invalid
6fabf5d
@Mosas2000
a11y: add aria-invalid to avatar input when URL fails validation
0152fc8
@Mosas2000
fix: trim whitespace from avatar URL input on change
f2bbc18
@Mosas2000
docs: add JSDoc to fetchProfile
ef92953
@Mosas2000
docs: add JSDoc to validateForm
9195710
@Mosas2000
docs: add JSDoc to handleSaveProfile
a04f549
@Mosas2000
style: constrain avatar preview max-width
9474a08
@Mosas2000
a11y: add form role and aria-label to profile container
f4f24c1
@Mosas2000
test: add data-testid to profile loading indicator
4268a0a
@Mosas2000
a11y: add aria-busy to profile loading state
3ad573e
@Mosas2000 Mosas2000 merged commit 4b2fec2 into main Mar 14, 2026
3 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ProfileManager renders arbitrary user-supplied URLs in avatar preview

1 participant

@Mosas2000