harden css escaping for background

Co-authored-by: Sunwuyuan <88357633+Sunwuyuan@users.noreply.github.com>
2026-02-04 07:53:11 +00:00 · 2025-12-29 10:28:00 +00:00 · 2025-12-29 10:28:00 +00:00 · 2c12051c45
commit 2c12051c45
parent b96484d26a
1 changed files with 10 additions and 3 deletions
--- a/src/pages/index.vue
+++ b/src/pages/index.vue
@ -693,8 +693,9 @@ export default {
      if (!safeUrl) return { display: "none" };

      const blur = Math.min(Math.max(this.backgroundBlurAmount, 0), 50);
+      const escaped = this.cssEscape(encodeURI(safeUrl));
      return {
-        backgroundImage: `url("${encodeURI(safeUrl)}")`,
+        backgroundImage: `url("${escaped}")`,
        filter: `blur(${blur}px)`,
      };
    },
@ -2217,7 +2218,7 @@ export default {
      try {
        const parsed = new URL(trimmed, window.location.origin);
        const protocol = parsed.protocol.replace(":", "");
-        if (["http", "https", "data", "blob"].includes(protocol)) return true;
+        if (["http", "https", "blob"].includes(protocol)) return true;
      } catch (e) {
        // Allow relative paths
        if (
@ -2237,9 +2238,15 @@ export default {
        return parsed.href;
      } catch (e) {
        // Fallback for relative paths when URL parsing fails
-        return url.replace(/[^a-zA-Z0-9-._~!$&'()*+,;=/:@%]/g, "");
+        return url.replace(/[^a-zA-Z0-9-._~/:@%+#?&=]/g, "");
      }
    },
+    cssEscape(value) {
+      if (typeof CSS !== "undefined" && CSS.escape) {
+        return CSS.escape(value);
+      }
+      return value.replace(/[^a-zA-Z0-9_\-]/g, (char) => `\\${char}`);
+    },

    safeBase64Decode(base64String) {
      try {