From cdbe06f528d2eabcd68a920478d9c36c6992c0fe Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 29 Dec 2025 10:25:15 +0000
Subject: [PATCH] harden background url handling

Co-authored-by: Sunwuyuan <88357633+Sunwuyuan@users.noreply.github.com>
---
 src/pages/index.vue | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/pages/index.vue b/src/pages/index.vue
index 9111b6f..d3e6e7b 100644
--- a/src/pages/index.vue
+++ b/src/pages/index.vue
@@ -699,7 +699,7 @@ export default {
     backgroundOverlayStyle() {
       if (!this.hasBackgroundImage) return { display: "none" };
 
-      const dim = Math.min(Math.max(this.backgroundDimAmount, 0), 100);
+      const dim = Math.min(Math.max(this.backgroundDimAmount, 0), 90);
       const overlayBlur = Math.min(Math.max(this.backgroundBlurAmount, 0), 50) / 3;
       return {
         backgroundColor: `rgba(0, 0, 0, ${dim / 100})`,
@@ -2227,7 +2227,13 @@ export default {
       return false;
     },
     sanitizeBackgroundUrl(url) {
-      return url.replace(/["'()]/g, "");
+      if (!this.isSafeBackgroundUrl(url)) return "";
+      try {
+        const parsed = new URL(url, window.location.origin);
+        return parsed.href;
+      } catch (e) {
+        return url.replace(/["'()\\]/g, "");
+      }
     },
 
     safeBase64Decode(base64String) {
@@ -2442,7 +2448,4 @@ export default {
 .home-background {
   transform: scale(1.02);
 }
-
-.home-background-overlay {
-}
 </style>