setAttribute + encodeURI to avoid “DOM text reinterpreted as HTML” alerts

CHANGELOG.md

@@ -99,6 +99,8 @@
 - **Strip trailing colons** from the stored URL (`rtrim($parts[3], ':')`) so we never send `…png:` back to the client.
 - Returns an array with both `'username'` and `'profile_picture'`, matching what `getCurrentUser.php` needs.
 
+### 10. setAttribute + encodeURI to avoid “DOM text reinterpreted as HTML” alerts
+
 ---
 
 ## Changes 5/8/2025

public/js/authModals.js

@@ -349,6 +349,9 @@ export async function openUserPanel() {
       if (!f) return;
       // preview immediately
       img.src = URL.createObjectURL(f);
+      const blobUrl = URL.createObjectURL(f);
+      // use setAttribute + encodeURI to avoid “DOM text reinterpreted as HTML” alerts
+      img.setAttribute('src', encodeURI(blobUrl));
       // upload
       const fd = new FormData();
       fd.append('profile_picture', f);