diff --git a/CHANGELOG.md b/CHANGELOG.md
index 55d3c7e..9a50768 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -99,6 +99,8 @@
 - **Strip trailing colons** from the stored URL (`rtrim($parts[3], ':')`) so we never send `…png:` back to the client.
 - Returns an array with both `'username'` and `'profile_picture'`, matching what `getCurrentUser.php` needs.
 
+### 10. setAttribute + encodeURI to avoid “DOM text reinterpreted as HTML” alerts
+
 ---
 
 ## Changes 5/8/2025
diff --git a/public/js/authModals.js b/public/js/authModals.js
index 2fc2168..d7067a3 100644
--- a/public/js/authModals.js
+++ b/public/js/authModals.js
@@ -349,6 +349,9 @@ export async function openUserPanel() {
       if (!f) return;
       // preview immediately
       img.src = URL.createObjectURL(f);
+      const blobUrl = URL.createObjectURL(f);
+      // use setAttribute + encodeURI to avoid “DOM text reinterpreted as HTML” alerts
+      img.setAttribute('src', encodeURI(blobUrl));
       // upload
       const fd = new FormData();
       fd.append('profile_picture', f);