XSS possible via unfiltered src in img.initia.xyz proxy endpoint
The img.initia.xyz proxy endpoint accepted unfiltered `src` parameters, allowing attacker-controlled URLs to be embedded into the trusted initia.xyz origin and used for XSS-style attacks.
Description
The img.initia.xyz proxy endpoint accepted a src query parameter without sufficient validation. An attacker could supply a URL that, when proxied through the trusted Initia origin, executed under that origin's CSP and trust boundary — enabling XSS-style attacks against users of the widget and the broader Initia application surface.
Recommendation
Validate src against an allowlist of trusted image hosts. Enforce a content-type check on the upstream response. Set a strict CSP on the proxy endpoint so even successful script injection cannot execute in-page.
Initia: Resolved. Pashov Audit Group: Resolved.