From 9a71a5241a7c87106f30ae2bb426f4bea7916ec0 Mon Sep 17 00:00:00 2001
From: Alphons Joseph <93847055+Crazypersonalph@users.noreply.github.com>
Date: Tue, 18 Mar 2025 15:23:04 +0800
Subject: [PATCH] vuln-fix: removed image urls, relying on blobs now

---
 src/interface/pages/themeCreator.svelte   | 10 ++++------
 src/interface/utils/themeImageHandlers.ts |  4 ++--
 src/types/CustomThemes.ts                 |  2 --
 3 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/src/interface/pages/themeCreator.svelte b/src/interface/pages/themeCreator.svelte
index d200bd45..382a1948 100644
--- a/src/interface/pages/themeCreator.svelte
+++ b/src/interface/pages/themeCreator.svelte
@@ -73,10 +73,8 @@
       const loadedTheme = {
         ...tempTheme,
         CustomImages: tempTheme.CustomImages.map(image => ({
-          ...image,
-          url: image.blob ? URL.createObjectURL(image.blob) : null
-        })),
-        coverImageUrl: tempTheme.coverImage ? URL.createObjectURL(tempTheme.coverImage) : undefined
+          ...image
+        }))
       }
 
       if (tempTheme) {
@@ -210,7 +208,7 @@
             {#each theme.CustomImages as image (image.id)}
               <div class="flex gap-2 items-center px-2 py-2 mb-4 h-16 bg-white rounded-lg shadow-lg dark:bg-zinc-700">
                 <div class="h-full">
-                  <img src={image.url} alt={image.variableName} class="object-contain h-full rounded-xs" />
+                  <img src="data:image/png;base64, {image.blob}" alt={image.variableName} class="object-contain h-full rounded-xs" />
                 </div>
                 <input
                   type="text"
@@ -310,7 +308,7 @@
       {/if}
       {#if theme.coverImage}
         <div class="absolute z-20 w-full h-full opacity-0 transition-opacity pointer-events-none group-hover:opacity-100 bg-black/20"></div>
-        <img src={theme.coverImageUrl} alt='Cover' class="object-cover absolute z-0 w-full h-full rounded-xs" />
+        <img src="data:image/png;base64, {theme.coverImage}" alt='Cover' class="object-cover absolute z-0 w-full h-full rounded-xs" />
       {/if}
     </div>
 
diff --git a/src/interface/utils/themeImageHandlers.ts b/src/interface/utils/themeImageHandlers.ts
index 977d02ff..254ca567 100644
--- a/src/interface/utils/themeImageHandlers.ts
+++ b/src/interface/utils/themeImageHandlers.ts
@@ -17,7 +17,7 @@ export function handleImageUpload(event: Event, theme: LoadedCustomTheme): Promi
         const variableName = `custom-image-${theme.CustomImages.length}`;
         resolve({
           ...theme,
-          CustomImages: [...theme.CustomImages, { id: imageId, blob: imageBlob, variableName, url: URL.createObjectURL(imageBlob) }],
+          CustomImages: [...theme.CustomImages, { id: imageId, blob: imageBlob, variableName, url: null }],
         });
       };
       reader.readAsDataURL(file);
@@ -51,7 +51,7 @@ export function handleCoverImageUpload(event: Event, theme: LoadedCustomTheme):
       const reader = new FileReader();
       reader.onload = async () => {
         const imageBlob = await fetch(reader.result as string).then(res => res.blob());
-        resolve({ ...theme, coverImage: imageBlob, coverImageUrl: URL.createObjectURL(imageBlob) });
+        resolve({ ...theme, coverImage: imageBlob });
       };
       reader.readAsDataURL(file);
     });
diff --git a/src/types/CustomThemes.ts b/src/types/CustomThemes.ts
index 79990f56..00202ede 100644
--- a/src/types/CustomThemes.ts
+++ b/src/types/CustomThemes.ts
@@ -20,9 +20,7 @@ export type LoadedCustomTheme = CustomTheme & {
     id: string;
     blob: Blob;
     variableName: string;
-    url: string | null;
   }[];
-  coverImageUrl?: string;
 };
 
 export type DownloadedTheme = CustomTheme & {