harden avatar URL validation to block root-relative paths

2026-03-16 22:37:34 +01:00 · 2026-03-16 22:37:34 +01:00 · 7690395efe
commit 7690395efe
parent c99ead8a87
1 changed files with 1 additions and 1 deletions
--- a/ui/src/ui/views/agents-utils.ts
+++ b/ui/src/ui/views/agents-utils.ts
@ -194,7 +194,7 @@ export function normalizeAgentLabel(agent: {
  return agent.name?.trim() || agent.identity?.name?.trim() || agent.id;
 }

-const AVATAR_URL_RE = /^(https?:\/\/|data:image\/|\/)/i;
+const AVATAR_URL_RE = /^(https?:\/\/|data:image\/|blob:)/i;

 export function resolveAgentAvatarUrl(
  agent: { identity?: { avatar?: string; avatarUrl?: string } },