fix(security): unencoded username in api route construction

tomaioo · tomaioo · commit 8ad0e5e71d37 · 2026-04-12T19:22:50.000+07:00
The username is inserted directly into `/api/gravatar/${props.username}`. A crafted username containing path separators or reserved URL characters can change the effective request path and potentially hit unintended endpoints.

Signed-off-by: tomaioo &lt;203048277+tomaioo@users.noreply.github.com&gt;
diff --git a/app/components/User/Avatar.vue b/app/components/User/Avatar.vue
@@ -31,7 +31,7 @@ const textClass = computed(() => {
   }
 })
 
-const { data: gravatarUrl } = useLazyFetch(() => `/api/gravatar/${props.username}`, {
+const { data: gravatarUrl } = useLazyFetch(() => `/api/gravatar/${encodeURIComponent(props.username)}`, {
   transform: res => (res.hash ? `/_avatar/${res.hash}?s=128&d=404` : null),
   getCachedData(key, nuxtApp) {
     return nuxtApp.static.data[key] ?? nuxtApp.payload.data[key]

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ const textClass = computed(() => {`
`31`	`31`	`}`
`32`	`32`	`})`
`33`	`33`
`34`		-const { data: gravatarUrl } = useLazyFetch(() => `/api/gravatar/${props.username}`, {
	`34`	+const { data: gravatarUrl } = useLazyFetch(() => `/api/gravatar/${encodeURIComponent(props.username)}`, {
`35`	`35`	transform: res => (res.hash ? `/_avatar/${res.hash}?s=128&d=404` : null),
`36`	`36`	`getCachedData(key, nuxtApp) {`
`37`	`37`	`return nuxtApp.static.data[key] ?? nuxtApp.payload.data[key]`