Updated code with utility functions

client/src/components/Auth/AuthLayout.tsx

@@ -56,17 +56,17 @@ function AuthLayout({
     }
     return null;
   };
-  const logo_url = startupConfig?.interface?.loginImageUrl;
-  const logo_text = startupConfig?.interface?.loginText;
+  const logoUrl = startupConfig?.interface?.loginImageUrl;
+  const logoText = startupConfig?.interface?.loginText;
 
   return (
     <div className="relative flex min-h-screen flex-col bg-white dark:bg-gray-900">
       <Banner />
       <BlinkAnimation active={isFetching}>
-        {logo_url ? (
+        {logoUrl ? (
           <div className="mt-6 flex w-full justify-center">
             <img
-              src={logo_url}
+              src={logoUrl}
               className="max-h-64 w-auto object-contain"
               alt={localize('com_ui_logo', { 0: startupConfig?.appTitle ?? 'LibreChat' })}
             />
@@ -101,13 +101,15 @@ function AuthLayout({
       )}
       
       {/* ——— WELCOME SECTIONS ——— */}
-      <main className="mx-auto w-full max-w-2xl space-y-8 p-6 text-black dark:text-white">
-        <section>
-          <div className="prose dark:prose-invert w-full max-w-none !text-text-primary">
-            <MarkdownLite content={logo_text} />
+      {logoText && (
+        <section className="mx-auto w-full max-w-2xl space-y-8 p-6 text-black dark:text-white">
+          <div>
+            <div className="prose dark:prose-invert w-full max-w-none !text-text-primary">
+              <MarkdownLite content={logoText} />
+            </div>
           </div>
         </section>
-      </main>
+      )}
       {/* — end welcome sections — */}
       <DisplayError />
       <div className="absolute bottom-0 left-0 md:m-4">

packages/data-provider/src/config.ts

@@ -7,6 +7,7 @@ import { fileConfigSchema } from './file-config';
 import { apiBaseUrl } from './api-endpoints';
 import { FileSources } from './types/files';
 import { MCPServersSchema } from './mcp';
+import { isSafeImageUrl } from './utils';
 
 export const defaultSocialLogins = ['google', 'facebook', 'openid', 'github', 'discord', 'saml'];
 
@@ -609,7 +610,13 @@ export const interfaceSchema = z
       .optional(),
     termsOfService: termsOfServiceSchema.optional(),
     customWelcome: z.string().optional(),
-    loginImageUrl: z.string().optional(),
+    loginImageUrl: z
+      .string()
+      .url()
+      .refine(isSafeImageUrl, {
+        message: 'loginImageUrl must be a valid HTTP or HTTPS URL',
+      })
+      .optional(),
     loginText: z.string().optional(),
     mcpServers: mcpServersSchema.optional(),
     endpointsMenu: z.boolean().optional(),

packages/data-provider/src/utils.ts

@@ -60,3 +60,17 @@ export function extractEnvVariable(value: string) {
 export function normalizeEndpointName(name = ''): string {
   return name.toLowerCase() === 'ollama' ? 'ollama' : name;
 }
+
+/**
+ * Validates that a URL uses only safe protocols (http or https)
+ * @param url - The URL string to validate
+ * @returns true if the URL is safe, false otherwise
+ */
+export const isSafeImageUrl = (url: string): boolean => {
+  try {
+    const parsedUrl = new URL(url);
+    return parsedUrl.protocol === 'http:' || parsedUrl.protocol === 'https:';
+  } catch {
+    return false;
+  }
+};