fix: validate previewUrl in ImageToDataUrl

Addresses CodeQL alert for "DOM text reinterpreted as HTML" by ensuring the `src` attribute of the preview image strictly starts with `blob:`. This prevents potential XSS if `previewUrl` were somehow tainted with a `javascript:` URL.

Also removed the `title` attribute from the file name display to reduce surface area for attribute injection concerns, although React escapes it.

Co-authored-by: sabeerbikba <59386700+sabeerbikba@users.noreply.github.com>

Author: google-labs-jules[bot]

src/pages/ImageToDataUrl.jsx

@@ -114,6 +114,8 @@ const ImageToDataUrl = () => {
   const currentOutput =
     outputType === "url-encoded" && isSvg ? svgUrlEncoded : dataUrl;
 
+  const isValidPreviewUrl = previewUrl && previewUrl.startsWith("blob:");
+
   return (
     <ToolBoxLayout>
       <ToolBox title="Input Image">
@@ -144,7 +146,7 @@ const ImageToDataUrl = () => {
           {file && (
             <div className="flex flex-col md:flex-row gap-6 mt-4">
               <div className="w-full md:w-1/3 flex items-center justify-center bg-gray-800/50 rounded-lg p-4 min-h-[200px]">
-                {previewUrl && (
+                {isValidPreviewUrl && (
                   <img
                     src={previewUrl}
                     alt="Preview"