From 1add160f5d3afbe89cafc9e1000ff7cb9bc05009 Mon Sep 17 00:00:00 2001
From: Ryan <ryantl66@gmail.com>
Date: Wed, 14 May 2025 07:00:04 -0400
Subject: [PATCH] =?UTF-8?q?setAttribute=20+=20encodeURI=20to=20avoid=20?=
 =?UTF-8?q?=E2=80=9CDOM=20text=20reinterpreted=20as=20HTML=E2=80=9D=20aler?=
 =?UTF-8?q?ts?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGELOG.md            | 2 ++
 public/js/authModals.js | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 55d3c7e..9a50768 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -99,6 +99,8 @@
 - **Strip trailing colons** from the stored URL (`rtrim($parts[3], ':')`) so we never send `…png:` back to the client.
 - Returns an array with both `'username'` and `'profile_picture'`, matching what `getCurrentUser.php` needs.
 
+### 10. setAttribute + encodeURI to avoid “DOM text reinterpreted as HTML” alerts
+
 ---
 
 ## Changes 5/8/2025
diff --git a/public/js/authModals.js b/public/js/authModals.js
index 2fc2168..d7067a3 100644
--- a/public/js/authModals.js
+++ b/public/js/authModals.js
@@ -349,6 +349,9 @@ export async function openUserPanel() {
       if (!f) return;
       // preview immediately
       img.src = URL.createObjectURL(f);
+      const blobUrl = URL.createObjectURL(f);
+      // use setAttribute + encodeURI to avoid “DOM text reinterpreted as HTML” alerts
+      img.setAttribute('src', encodeURI(blobUrl));
       // upload
       const fd = new FormData();
       fd.append('profile_picture', f);