The application now correctly encodes the url query string for the profile-picture name (for security reasons), removed a left-over print-statement

application/app/templates/registration/login.html

@@ -69,7 +69,7 @@
         <ul class="userlist">
             {% for user_ in user_list %}
                 <li class="userlistButton button" data-username="{{ user_.username }}">
-                    <img src="{{ '/profilepictures?name='|add:user_.profile_picture_filename }}">
+                    <img src="/profilepictures?name={{ user_.profile_picture_filename|urlencode }}">
                     <div>
                         {% if user_.first_name %}
 

application/app/templates/userPanel.html

@@ -3,7 +3,7 @@
 
 <div class="userPanel">
     <div class="userInfo">
-        <img src="{{ '/profilepictures?name='|add:user.profile_picture_filename }}">
+        <img src="/profilepictures?name={{ user.profile_picture_filename|urlencode }}">
         <span>
             {% if user.first_name != "" %}
                 {% translate "User" %}: {{ user.first_name }} {{ user.last_name }} ({{ user.username }})

application/app/views.py

@@ -124,7 +124,6 @@ def redirect_home(request):
 def profile_pictures(request):
     if not "name" in request.GET:
         return HttpResponse(b"", status=400)
-    print(request.GET["name"])
     ppic_filepath = Path(profile_pictures_path / request.GET["name"]).resolve()
     try:
         ppic_filepath.relative_to(profile_pictures_path)