Bug found while integrating devify.me. assets/.../utils/url.js sanitizeHref() rejects valid same-directory relative paths: "assets/x.svg" → "#". It only accepts values starting with /, ., #, or http(s). This silently broke a header <img src> (rendered src="#").
Fix: accept a bare relative path segment (e.g. assets/x.svg, foo/bar.png), not only /.#/http prefixes — while still blocking javascript: and other dangerous schemes. Add a unit test for the bare-relative case.
Workaround in devify-me: pass ./assets/... (leading ./ passes the sanitizer). Surfaced 2026-06-20.
Bug found while integrating devify.me.
assets/.../utils/url.jssanitizeHref()rejects valid same-directory relative paths:"assets/x.svg"→"#". It only accepts values starting with/,.,#, orhttp(s). This silently broke a header<img src>(renderedsrc="#").Fix: accept a bare relative path segment (e.g.
assets/x.svg,foo/bar.png), not only/.#/http prefixes — while still blockingjavascript:and other dangerous schemes. Add a unit test for the bare-relative case.Workaround in devify-me: pass
./assets/...(leading./passes the sanitizer). Surfaced 2026-06-20.