From 9383c3cbf9f24a0b166a2fef3713aff99e466d9c Mon Sep 17 00:00:00 2001
From: clown145 <kisaki520@qq.com>
Date: Tue, 26 May 2026 17:24:35 +0800
Subject: [PATCH 1/6] fix: load plugin readme local image assets

---
 astrbot/dashboard/routes/plugin.py            |  55 +++++++++-
 astrbot/dashboard/server.py                   |   6 +-
 .../src/components/shared/ReadmeDialog.vue    |  46 ++++++++
 tests/test_dashboard.py                       | 100 +++++++++++++++++-
 4 files changed, 200 insertions(+), 7 deletions(-)

diff --git a/astrbot/dashboard/routes/plugin.py b/astrbot/dashboard/routes/plugin.py
index bb7769926a..b97c56b316 100644
--- a/astrbot/dashboard/routes/plugin.py
+++ b/astrbot/dashboard/routes/plugin.py
@@ -1,15 +1,17 @@
 import asyncio
 import hashlib
 import json
+import mimetypes
 import os
 import ssl
 import traceback
 from dataclasses import dataclass
 from datetime import datetime
+from pathlib import Path
 
 import aiohttp
 import certifi
-from quart import request
+from quart import abort, request, send_file
 
 from astrbot.api import sp
 from astrbot.core import DEMO_MODE, file_token_service, logger
@@ -33,6 +35,7 @@
 PLUGIN_UPDATE_CONCURRENCY = (
     3  # limit concurrent updates to avoid overwhelming plugin sources
 )
+PLUGIN_ASSET_MIME_PREFIX = "image/"
 
 
 @dataclass
@@ -65,6 +68,7 @@ def __init__(
             "/plugin/reload-failed": ("POST", self.reload_failed_plugins),
             "/plugin/reload": ("POST", self.reload_plugins),
             "/plugin/readme": ("GET", self.get_plugin_readme),
+            "/plugin/asset": ("GET", self.get_plugin_asset),
             "/plugin/changelog": ("GET", self.get_plugin_changelog),
             "/plugin/source/get": ("GET", self.get_custom_source),
             "/plugin/source/save": ("POST", self.save_custom_source),
@@ -86,6 +90,55 @@ def __init__(
 
         self._logo_cache = {}
 
+    def _get_plugin_dir(self, plugin_name: str) -> Path | None:
+        plugin_obj = self.plugin_manager.context.get_registered_star(plugin_name)
+        if not plugin_obj or not plugin_obj.root_dir_name:
+            return None
+
+        if plugin_obj.reserved:
+            root_path = self.plugin_manager.reserved_plugin_path
+        else:
+            root_path = self.plugin_manager.plugin_store_path
+        return Path(root_path) / plugin_obj.root_dir_name
+
+    def _resolve_plugin_asset_path(
+        self,
+        plugin_name: str,
+        asset_path: str,
+    ) -> Path | None:
+        plugin_dir = self._get_plugin_dir(plugin_name)
+        if not plugin_dir:
+            return None
+
+        root = plugin_dir.resolve(strict=False)
+        target = (root / asset_path).resolve(strict=False)
+        try:
+            target.relative_to(root)
+        except ValueError:
+            return None
+        return target
+
+    async def get_plugin_asset(self):
+        plugin_name = request.args.get("name")
+        asset_path = request.args.get("path")
+
+        if not plugin_name or not asset_path:
+            return abort(404)
+
+        try:
+            target = self._resolve_plugin_asset_path(plugin_name, asset_path)
+            if not target or not target.is_file():
+                return abort(404)
+
+            mimetype, _ = mimetypes.guess_type(target.name)
+            if not mimetype or not mimetype.startswith(PLUGIN_ASSET_MIME_PREFIX):
+                return abort(404)
+
+            return await send_file(str(target), mimetype=mimetype)
+        except (OSError, RuntimeError):
+            logger.warning(f"插件资源访问失败: {plugin_name}/{asset_path}")
+            return abort(404)
+
     async def check_plugin_compatibility(self):
         try:
             data = await request.get_json()
diff --git a/astrbot/dashboard/server.py b/astrbot/dashboard/server.py
index a4742aa672..0913d36ed3 100644
--- a/astrbot/dashboard/server.py
+++ b/astrbot/dashboard/server.py
@@ -205,8 +205,12 @@ async def auth_middleware(self):
         ]
         if any(request.path.startswith(prefix) for prefix in allowed_endpoints):
             return None
+
         # 声明 JWT
-        token = request.headers.get("Authorization")
+        if request.path == "/api/plugin/asset":
+            token = request.args.get("token") or request.headers.get("Authorization")
+        else:
+            token = request.headers.get("Authorization")
         if not token:
             r = jsonify(Response().error("未授权").__dict__)
             r.status_code = 401
diff --git a/dashboard/src/components/shared/ReadmeDialog.vue b/dashboard/src/components/shared/ReadmeDialog.vue
index ddc27cd900..20cd89257a 100644
--- a/dashboard/src/components/shared/ReadmeDialog.vue
+++ b/dashboard/src/components/shared/ReadmeDialog.vue
@@ -53,6 +53,47 @@ onUnmounted(() => {
   if (copyFeedbackTimer.value) clearTimeout(copyFeedbackTimer.value);
 });
 
+function isRemoteImageSrc(src) {
+  const value = (src || "").trim().toLowerCase();
+  return (
+    value.startsWith("http://") ||
+    value.startsWith("https://") ||
+    value.startsWith("//") ||
+    value.startsWith("data:") ||
+    value.startsWith("blob:")
+  );
+}
+
+function getPluginAssetSrc(src) {
+  if (!props.pluginName) return src;
+
+  const value = (src || "").trim();
+  if (!value || value.startsWith("#") || isRemoteImageSrc(value)) return src;
+  if (value.startsWith("/api/")) return src;
+  if (/^[a-zA-Z][a-zA-Z\d+\-.]*:/.test(value)) return src;
+
+  const normalizedValue = value.startsWith("/") ? value.slice(1) : value;
+  const pathEnd = normalizedValue.search(/[?#]/);
+  const rawPath =
+    pathEnd === -1 ? normalizedValue : normalizedValue.slice(0, pathEnd);
+  if (!rawPath) return src;
+
+  let decodedPath = rawPath;
+  try {
+    decodedPath = decodeURI(rawPath);
+  } catch (err) {
+    decodedPath = rawPath;
+  }
+
+  const params = new URLSearchParams({
+    name: props.pluginName,
+    path: decodedPath,
+  });
+  const token = localStorage.getItem("token");
+  if (token) params.set("token", token);
+  return `/api/plugin/asset?${params.toString()}`;
+}
+
 // 渲染后的 HTML
 const renderedHtml = computed(() => {
   // 强制依赖 locale，确保语言切换时重新渲染
@@ -161,6 +202,11 @@ const renderedHtml = computed(() => {
       link.setAttribute("rel", "noopener noreferrer");
     }
   });
+  tempDiv.querySelectorAll("img").forEach((img) => {
+    const src = img.getAttribute("src");
+    const assetSrc = getPluginAssetSrc(src);
+    if (assetSrc && assetSrc !== src) img.setAttribute("src", assetSrc);
+  });
 
   return tempDiv.innerHTML;
 });
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index cbaec66c7c..836a2133b3 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -15,7 +15,6 @@
 from astrbot.dashboard.server import AstrBotDashboard
 from tests.fixtures.helpers import (
     MockPluginBuilder,
-    MockPluginConfig,
     create_mock_updater_install,
     create_mock_updater_update,
 )
@@ -145,9 +144,7 @@ async def test_plugins(
     monkeypatch.setattr(
         core_lifecycle_td.plugin_manager.updator, "install", mock_install
     )
-    monkeypatch.setattr(
-        core_lifecycle_td.plugin_manager.updator, "update", mock_update
-    )
+    monkeypatch.setattr(core_lifecycle_td.plugin_manager.updator, "update", mock_update)
 
     try:
         # 插件安装
@@ -158,7 +155,9 @@ async def test_plugins(
         )
         assert response.status_code == 200
         data = await response.get_json()
-        assert data["status"] == "ok", f"安装失败: {data.get('message', 'unknown error')}"
+        assert data["status"] == "ok", (
+            f"安装失败: {data.get('message', 'unknown error')}"
+        )
 
         # 验证插件已注册
         exists = any(md.name == test_plugin_name for md in star_registry)
@@ -201,6 +200,97 @@ async def test_plugins(
         builder.cleanup(test_plugin_name)
 
 
+@pytest.mark.asyncio
+async def test_plugin_asset_api(
+    app: Quart,
+    authenticated_header: dict,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    test_client = app.test_client()
+    plugin_store_path = core_lifecycle_td.plugin_manager.plugin_store_path
+    builder = MockPluginBuilder(plugin_store_path)
+
+    test_plugin_name = "test_plugin_asset"
+    plugin_dir = builder.create(test_plugin_name)
+    try:
+        success, error = await core_lifecycle_td.plugin_manager.load(
+            specified_dir_name=test_plugin_name
+        )
+        assert success, error
+
+        assets_dir = plugin_dir / "assets"
+        assets_dir.mkdir(exist_ok=True)
+        image_content = (
+            b"\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR"
+            b"\x00\x00\x00\x01\x00\x00\x00\x01"
+            b"\x08\x06\x00\x00\x00\x1f\x15\xc4\x89"
+        )
+        (assets_dir / "demo.png").write_bytes(image_content)
+        (assets_dir / "demo.jpg").write_bytes(b"\xff\xd8\xff\xd9")
+        (assets_dir / "demo.webp").write_bytes(b"RIFF\x00\x00\x00\x00WEBP")
+        (assets_dir / "demo.svg").write_text(
+            '<svg xmlns="http://www.w3.org/2000/svg"></svg>',
+            encoding="utf-8",
+        )
+        (assets_dir / "note.txt").write_text("not an image", encoding="utf-8")
+
+        token = authenticated_header["Authorization"].removeprefix("Bearer ")
+        response = await test_client.get(
+            "/api/plugin/asset",
+            query_string={
+                "name": test_plugin_name,
+                "path": "assets/demo.png",
+                "token": token,
+            },
+        )
+        assert response.status_code == 200
+        assert response.content_type.startswith("image/png")
+        assert await response.get_data() == image_content
+
+        for image_name in ("demo.jpg", "demo.webp", "demo.svg"):
+            response = await test_client.get(
+                "/api/plugin/asset",
+                query_string={
+                    "name": test_plugin_name,
+                    "path": f"assets/{image_name}",
+                    "token": token,
+                },
+            )
+            assert response.status_code == 200
+            assert response.content_type.startswith("image/")
+
+        response = await test_client.get(
+            "/api/plugin/asset",
+            query_string={"name": test_plugin_name, "path": "assets/demo.png"},
+        )
+        assert response.status_code == 401
+
+        response = await test_client.get(
+            "/api/plugin/asset",
+            query_string={
+                "name": test_plugin_name,
+                "path": "../metadata.yaml",
+                "token": token,
+            },
+        )
+        assert response.status_code == 404
+
+        response = await test_client.get(
+            "/api/plugin/asset",
+            query_string={
+                "name": test_plugin_name,
+                "path": "assets/note.txt",
+                "token": token,
+            },
+        )
+        assert response.status_code == 404
+    finally:
+        try:
+            await core_lifecycle_td.plugin_manager.uninstall_plugin(test_plugin_name)
+        except Exception:
+            builder.cleanup(test_plugin_name)
+
+
 @pytest.mark.asyncio
 async def test_commands_api(app: Quart, authenticated_header: dict):
     """Tests the command management API endpoints."""

From fe91f88a05f99d22359bb1b7900bf22df00072df Mon Sep 17 00:00:00 2001
From: clown145 <kisaki520@qq.com>
Date: Tue, 26 May 2026 19:01:20 +0800
Subject: [PATCH 2/6] feat: support github plugin readme image source

---
 astrbot/dashboard/routes/plugin.py            | 74 +++++++++++++------
 .../src/components/shared/ProxySelector.vue   | 43 +++++++++++
 .../src/components/shared/ReadmeDialog.vue    | 55 +++++++++++++-
 .../i18n/locales/en-US/features/settings.json |  6 +-
 .../i18n/locales/zh-CN/features/settings.json |  6 +-
 dashboard/src/utils/githubProxy.js            | 51 +++++++++++++
 dashboard/src/views/ExtensionPage.vue         |  2 +-
 .../src/views/extension/useExtensionPage.js   |  8 +-
 tests/test_dashboard.py                       | 72 ++++++++++++++++++
 9 files changed, 280 insertions(+), 37 deletions(-)
 create mode 100644 dashboard/src/utils/githubProxy.js

diff --git a/astrbot/dashboard/routes/plugin.py b/astrbot/dashboard/routes/plugin.py
index b97c56b316..41da3dc56e 100644
--- a/astrbot/dashboard/routes/plugin.py
+++ b/astrbot/dashboard/routes/plugin.py
@@ -3,11 +3,13 @@
 import json
 import mimetypes
 import os
+import re
 import ssl
 import traceback
 from dataclasses import dataclass
 from datetime import datetime
 from pathlib import Path
+from urllib.parse import urlparse
 
 import aiohttp
 import certifi
@@ -36,6 +38,8 @@
     3  # limit concurrent updates to avoid overwhelming plugin sources
 )
 PLUGIN_ASSET_MIME_PREFIX = "image/"
+GITHUB_DEFAULT_BRANCH_REF = "HEAD"
+GITHUB_REPO_PART_PATTERN = re.compile(r"^[A-Za-z0-9_.-]+$")
 
 
 @dataclass
@@ -90,6 +94,39 @@ def __init__(
 
         self._logo_cache = {}
 
+    def _parse_github_repo_url(self, repo_url: str | None) -> tuple[str, str] | None:
+        if not repo_url:
+            return None
+
+        parsed = urlparse(repo_url.strip())
+        if parsed.scheme not in ("http", "https"):
+            return None
+        if parsed.netloc.lower() != "github.com":
+            return None
+
+        parts = [part for part in parsed.path.strip("/").split("/") if part]
+        if len(parts) < 2:
+            return None
+
+        owner = parts[0]
+        repo = parts[1].removesuffix(".git")
+        if not owner or not repo:
+            return None
+        if not GITHUB_REPO_PART_PATTERN.fullmatch(owner):
+            return None
+        if not GITHUB_REPO_PART_PATTERN.fullmatch(repo):
+            return None
+
+        return owner, repo
+
+    def _build_github_raw_base(self, repo_url: str | None) -> str | None:
+        repo_info = self._parse_github_repo_url(repo_url)
+        if not repo_info:
+            return None
+
+        owner, repo = repo_info
+        return f"https://github.com/{owner}/{repo}/raw/{GITHUB_DEFAULT_BRANCH_REF}"
+
     def _get_plugin_dir(self, plugin_name: str) -> Path | None:
         plugin_obj = self.plugin_manager.context.get_registered_star(plugin_name)
         if not plugin_obj or not plugin_obj.root_dir_name:
@@ -766,12 +803,7 @@ async def get_plugin_readme(self):
             logger.warning("插件名称为空")
             return Response().error("插件名称不能为空").__dict__
 
-        plugin_obj = None
-        for plugin in self.plugin_manager.context.get_all_stars():
-            if plugin.name == plugin_name:
-                plugin_obj = plugin
-                break
-
+        plugin_obj = self.plugin_manager.context.get_registered_star(plugin_name)
         if not plugin_obj:
             logger.warning(f"插件 {plugin_name} 不存在")
             return Response().error(f"插件 {plugin_name} 不存在").__dict__
@@ -780,34 +812,28 @@ async def get_plugin_readme(self):
             logger.warning(f"插件 {plugin_name} 目录不存在")
             return Response().error(f"插件 {plugin_name} 目录不存在").__dict__
 
-        if plugin_obj.reserved:
-            plugin_dir = os.path.join(
-                self.plugin_manager.reserved_plugin_path,
-                plugin_obj.root_dir_name,
-            )
-        else:
-            plugin_dir = os.path.join(
-                self.plugin_manager.plugin_store_path,
-                plugin_obj.root_dir_name,
-            )
-
-        if not os.path.isdir(plugin_dir):
+        plugin_dir = self._get_plugin_dir(plugin_name)
+        if not plugin_dir or not plugin_dir.is_dir():
             logger.warning(f"无法找到插件目录: {plugin_dir}")
             return Response().error(f"无法找到插件 {plugin_name} 的目录").__dict__
 
-        readme_path = os.path.join(plugin_dir, "README.md")
-
-        if not os.path.isfile(readme_path):
+        readme_path = plugin_dir / "README.md"
+        if not readme_path.is_file():
             logger.warning(f"插件 {plugin_name} 没有README文件")
             return Response().error(f"插件 {plugin_name} 没有README文件").__dict__
 
         try:
-            with open(readme_path, encoding="utf-8") as f:
-                readme_content = f.read()
+            readme_content = readme_path.read_text(encoding="utf-8")
 
             return (
                 Response()
-                .ok({"content": readme_content}, "成功获取README内容")
+                .ok(
+                    {
+                        "content": readme_content,
+                        "github_raw_base": self._build_github_raw_base(plugin_obj.repo),
+                    },
+                    "成功获取README内容",
+                )
                 .__dict__
             )
         except Exception as e:
diff --git a/dashboard/src/components/shared/ProxySelector.vue b/dashboard/src/components/shared/ProxySelector.vue
index 8cf69a542e..a993196026 100644
--- a/dashboard/src/components/shared/ProxySelector.vue
+++ b/dashboard/src/components/shared/ProxySelector.vue
@@ -46,14 +46,37 @@
             </v-radio-group>
         </div>
     </v-expand-transition>
+    <div v-if="showReadmeImageSetting" class="mt-3">
+        <v-switch
+            v-model="readmeImageUseGitHub"
+            color="primary"
+            density="compact"
+            hide-details="true"
+            :label="tm('network.proxySelector.readmeImages.useGitHub')">
+        </v-switch>
+        <div class="text-caption text-medium-emphasis mt-1">
+            {{ tm('network.proxySelector.readmeImages.hint') }}
+        </div>
+    </div>
 </template>
 
 
 <script>
 import axios from 'axios';
 import { useModuleI18n } from '@/i18n/composables';
+import {
+    PLUGIN_README_IMAGE_SOURCE,
+    getPluginReadmeImageSource,
+    setPluginReadmeImageSource
+} from '@/utils/githubProxy';
 
 export default {
+    props: {
+        showReadmeImageSetting: {
+            type: Boolean,
+            default: true,
+        },
+    },
     setup() {
         const { tm } = useModuleI18n('features/settings');
         return { tm };
@@ -72,9 +95,22 @@ export default {
             loadingTestingConnection: false,
             testingProxies: {},
             proxyStatus: {},
+            readmeImageSource: PLUGIN_README_IMAGE_SOURCE.LOCAL,
             initializing: true,
         }
     },
+    computed: {
+        readmeImageUseGitHub: {
+            get() {
+                return this.readmeImageSource === PLUGIN_README_IMAGE_SOURCE.GITHUB;
+            },
+            set(value) {
+                this.readmeImageSource = value
+                    ? PLUGIN_README_IMAGE_SOURCE.GITHUB
+                    : PLUGIN_README_IMAGE_SOURCE.LOCAL;
+            }
+        }
+    },
     methods: {
         getProxyByControl(control) {
             const normalizedControl = String(control);
@@ -136,6 +172,7 @@ export default {
         const savedRadio = localStorage.getItem('githubProxyRadioValue') || "0";
         const savedControl = String(localStorage.getItem('githubProxyRadioControl') || "0");
 
+        this.readmeImageSource = getPluginReadmeImageSource();
         this.radioValue = savedRadio;
         this.githubProxyRadioControl = savedControl;
 
@@ -185,6 +222,12 @@ export default {
             if (normalizedVal !== "-1") {
                 this.selectedGitHubProxy = this.getProxyByControl(normalizedVal);
             }
+        },
+        readmeImageSource: function (newVal) {
+            if (this.initializing) {
+                return;
+            }
+            setPluginReadmeImageSource(newVal);
         }
     }
 }
diff --git a/dashboard/src/components/shared/ReadmeDialog.vue b/dashboard/src/components/shared/ReadmeDialog.vue
index 20cd89257a..69be92f2c4 100644
--- a/dashboard/src/components/shared/ReadmeDialog.vue
+++ b/dashboard/src/components/shared/ReadmeDialog.vue
@@ -1,11 +1,16 @@
 <script setup>
-import { ref, watch, computed, onUnmounted } from "vue";
+import { ref, watch, computed, onMounted, onUnmounted } from "vue";
 import MarkdownIt from "markdown-it";
 import hljs from "highlight.js";
 import axios from "axios";
 import DOMPurify from "dompurify";
 import "highlight.js/styles/github-dark.css";
 import { useI18n } from "@/i18n/composables";
+import {
+  PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT,
+  buildGitHubProxyUrl,
+  isPluginReadmeGitHubImageSource,
+} from "@/utils/githubProxy";
 
 // 1. 在 setup 作用域创建 MarkdownIt 实例
 const md = new MarkdownIt({
@@ -48,9 +53,28 @@ const loading = ref(false);
 const isEmpty = ref(false);
 const copyFeedbackTimer = ref(null);
 const lastRequestId = ref(0);
+const githubRawBase = ref(null);
+const readmeImageSourceVersion = ref(0);
 
 onUnmounted(() => {
   if (copyFeedbackTimer.value) clearTimeout(copyFeedbackTimer.value);
+  if (typeof window !== "undefined") {
+    window.removeEventListener(
+      PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT,
+      handleReadmeImageSourceChanged,
+    );
+  }
+});
+
+function handleReadmeImageSourceChanged() {
+  readmeImageSourceVersion.value += 1;
+}
+
+onMounted(() => {
+  window.addEventListener(
+    PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT,
+    handleReadmeImageSourceChanged,
+  );
 });
 
 function isRemoteImageSrc(src) {
@@ -64,6 +88,16 @@ function isRemoteImageSrc(src) {
   );
 }
 
+function normalizeGitHubAssetPath(decodedPath) {
+  const segments = [];
+  for (const segment of decodedPath.split("/")) {
+    if (!segment || segment === ".") continue;
+    if (segment === "..") return null;
+    segments.push(segment);
+  }
+  return segments.length ? segments.join("/") : null;
+}
+
 function getPluginAssetSrc(src) {
   if (!props.pluginName) return src;
 
@@ -85,6 +119,18 @@ function getPluginAssetSrc(src) {
     decodedPath = rawPath;
   }
 
+  const suffix = pathEnd === -1 ? "" : normalizedValue.slice(pathEnd);
+  if (githubRawBase.value && isPluginReadmeGitHubImageSource()) {
+    const githubPath = normalizeGitHubAssetPath(decodedPath);
+    if (!githubPath) return src;
+
+    const encodedPath = githubPath
+      .split("/")
+      .map((part) => encodeURIComponent(part))
+      .join("/");
+    return buildGitHubProxyUrl(`${githubRawBase.value}/${encodedPath}${suffix}`);
+  }
+
   const params = new URLSearchParams({
     name: props.pluginName,
     path: decodedPath,
@@ -97,7 +143,7 @@ function getPluginAssetSrc(src) {
 // 渲染后的 HTML
 const renderedHtml = computed(() => {
   // 强制依赖 locale，确保语言切换时重新渲染
-  const _ = locale?.value;
+  const _ = `${locale?.value}:${readmeImageSourceVersion.value}`;
   if (!content.value) return "";
 
   // 设置 fence 规则，直接使用当前作用域的 t 函数
@@ -261,6 +307,7 @@ async function fetchContent() {
   content.value = null;
   error.value = null;
   isEmpty.value = false;
+  githubRawBase.value = null;
 
   try {
     let params;
@@ -273,7 +320,9 @@ async function fetchContent() {
     if (requestId !== lastRequestId.value) return;
 
     if (res.data.status === "ok") {
-      if (res.data.data.content) content.value = res.data.data.content;
+      const data = res.data.data || {};
+      if (data.github_raw_base) githubRawBase.value = data.github_raw_base;
+      if (data.content) content.value = data.content;
       else isEmpty.value = true;
     } else {
       error.value = res.data.message;
diff --git a/dashboard/src/i18n/locales/en-US/features/settings.json b/dashboard/src/i18n/locales/en-US/features/settings.json
index 19232125f9..4609deed99 100644
--- a/dashboard/src/i18n/locales/en-US/features/settings.json
+++ b/dashboard/src/i18n/locales/en-US/features/settings.json
@@ -13,7 +13,11 @@
       "testConnection": "Test Connection",
       "available": "Available",
       "unavailable": "Unavailable",
-      "custom": "Custom"
+      "custom": "Custom",
+      "readmeImages": {
+        "useGitHub": "Load plugin README images from GitHub",
+        "hint": "Images load from the local plugin directory by default. When enabled, AstrBot uses the plugin repository's default branch and applies the GitHub proxy if it is enabled."
+      }
     }
   },
   "theme": {
diff --git a/dashboard/src/i18n/locales/zh-CN/features/settings.json b/dashboard/src/i18n/locales/zh-CN/features/settings.json
index 19c1c7c41e..ee255a4ef4 100644
--- a/dashboard/src/i18n/locales/zh-CN/features/settings.json
+++ b/dashboard/src/i18n/locales/zh-CN/features/settings.json
@@ -13,7 +13,11 @@
       "testConnection": "测试代理连通性",
       "available": "可用",
       "unavailable": "不可用",
-      "custom": "自定义"
+      "custom": "自定义",
+      "readmeImages": {
+        "useGitHub": "插件文档图片从 GitHub 加载",
+        "hint": "默认从本地插件目录加载，开启后会使用插件仓库的默认分支地址；若启用 GitHub 加速，将自动使用加速地址。"
+      }
     }
   },
   "theme": {
diff --git a/dashboard/src/utils/githubProxy.js b/dashboard/src/utils/githubProxy.js
new file mode 100644
index 0000000000..3535bdf681
--- /dev/null
+++ b/dashboard/src/utils/githubProxy.js
@@ -0,0 +1,51 @@
+export const GITHUB_PROXY_RADIO_VALUE_KEY = "githubProxyRadioValue";
+export const SELECTED_GITHUB_PROXY_KEY = "selectedGitHubProxy";
+export const PLUGIN_README_IMAGE_SOURCE_KEY = "pluginReadmeImageSource";
+export const PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT =
+  "plugin-readme-image-source-changed";
+
+export const PLUGIN_README_IMAGE_SOURCE = {
+  LOCAL: "local",
+  GITHUB: "github",
+};
+
+export function getSelectedGitHubProxy() {
+  if (typeof window === "undefined" || !window.localStorage) return "";
+  return localStorage.getItem(GITHUB_PROXY_RADIO_VALUE_KEY) === "1"
+    ? localStorage.getItem(SELECTED_GITHUB_PROXY_KEY) || ""
+    : "";
+}
+
+export function buildGitHubProxyUrl(url, proxy = getSelectedGitHubProxy()) {
+  const normalizedProxy = (proxy || "").trim().replace(/\/+$/, "");
+  if (!normalizedProxy) return url;
+  return `${normalizedProxy}/${url}`;
+}
+
+export function getPluginReadmeImageSource() {
+  if (typeof window === "undefined" || !window.localStorage) {
+    return PLUGIN_README_IMAGE_SOURCE.LOCAL;
+  }
+  const source = localStorage.getItem(PLUGIN_README_IMAGE_SOURCE_KEY);
+  return source === PLUGIN_README_IMAGE_SOURCE.GITHUB
+    ? PLUGIN_README_IMAGE_SOURCE.GITHUB
+    : PLUGIN_README_IMAGE_SOURCE.LOCAL;
+}
+
+export function isPluginReadmeGitHubImageSource() {
+  return getPluginReadmeImageSource() === PLUGIN_README_IMAGE_SOURCE.GITHUB;
+}
+
+export function setPluginReadmeImageSource(source) {
+  if (typeof window === "undefined" || !window.localStorage) return;
+  const normalizedSource =
+    source === PLUGIN_README_IMAGE_SOURCE.GITHUB
+      ? PLUGIN_README_IMAGE_SOURCE.GITHUB
+      : PLUGIN_README_IMAGE_SOURCE.LOCAL;
+  localStorage.setItem(PLUGIN_README_IMAGE_SOURCE_KEY, normalizedSource);
+  window.dispatchEvent(
+    new CustomEvent(PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT, {
+      detail: { source: normalizedSource },
+    }),
+  );
+}
diff --git a/dashboard/src/views/ExtensionPage.vue b/dashboard/src/views/ExtensionPage.vue
index 4703ff5696..c9c0b220c5 100644
--- a/dashboard/src/views/ExtensionPage.vue
+++ b/dashboard/src/views/ExtensionPage.vue
@@ -655,7 +655,7 @@ const {
                 </v-alert>
               </div>
 
-              <ProxySelector></ProxySelector>
+              <ProxySelector :show-readme-image-setting="false"></ProxySelector>
             </div>
           </v-window-item>
         </v-window>
diff --git a/dashboard/src/views/extension/useExtensionPage.js b/dashboard/src/views/extension/useExtensionPage.js
index f57aad6d98..b6866d1f43 100644
--- a/dashboard/src/views/extension/useExtensionPage.js
+++ b/dashboard/src/views/extension/useExtensionPage.js
@@ -4,6 +4,7 @@ import { useCommonStore } from "@/stores/common";
 import { useI18n, useModuleI18n } from "@/i18n/composables";
 import { getPlatformDisplayName } from "@/utils/platformUtils";
 import { resolveErrorMessage } from "@/utils/errorUtils";
+import { getSelectedGitHubProxy } from "@/utils/githubProxy";
 import { ref, computed, onMounted, onUnmounted, reactive, watch } from "vue";
 import { useRoute, useRouter } from "vue-router";
 import { useDisplay } from "vuetify";
@@ -63,13 +64,6 @@ export const useExtensionPage = () => {
   const route = useRoute();
   const { width } = useDisplay();
   
-  const getSelectedGitHubProxy = () => {
-    if (typeof window === "undefined" || !window.localStorage) return "";
-    return localStorage.getItem("githubProxyRadioValue") === "1"
-      ? localStorage.getItem("selectedGitHubProxy") || ""
-      : "";
-  };
-  
   // 检查指令冲突并提示
   const conflictDialog = reactive({
     show: false,
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index 836a2133b3..155b3236c7 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -291,6 +291,78 @@ async def test_plugin_asset_api(
             builder.cleanup(test_plugin_name)
 
 
+@pytest.mark.asyncio
+async def test_plugin_readme_github_raw_base(
+    app: Quart,
+    authenticated_header: dict,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    test_client = app.test_client()
+    plugin_store_path = core_lifecycle_td.plugin_manager.plugin_store_path
+    builder = MockPluginBuilder(plugin_store_path)
+
+    test_plugin_name = "test_plugin_readme_github"
+    repo_url = f"https://github.com/test/{test_plugin_name}.git"
+    builder.create(test_plugin_name, repo=repo_url)
+    try:
+        success, error = await core_lifecycle_td.plugin_manager.load(
+            specified_dir_name=test_plugin_name
+        )
+        assert success, error
+
+        response = await test_client.get(
+            "/api/plugin/readme",
+            query_string={"name": test_plugin_name},
+            headers=authenticated_header,
+        )
+        assert response.status_code == 200
+        data = await response.get_json()
+        assert data["status"] == "ok"
+        assert data["data"]["github_raw_base"] == (
+            f"https://github.com/test/{test_plugin_name}/raw/HEAD"
+        )
+        assert "/main" not in data["data"]["github_raw_base"]
+    finally:
+        try:
+            await core_lifecycle_td.plugin_manager.uninstall_plugin(test_plugin_name)
+        except Exception:
+            builder.cleanup(test_plugin_name)
+
+
+@pytest.mark.asyncio
+async def test_plugin_readme_github_raw_base_ignores_non_github_repo(
+    app: Quart,
+    authenticated_header: dict,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    test_client = app.test_client()
+    plugin_store_path = core_lifecycle_td.plugin_manager.plugin_store_path
+    builder = MockPluginBuilder(plugin_store_path)
+
+    test_plugin_name = "test_plugin_readme_non_github"
+    builder.create(test_plugin_name, repo="https://git.example.com/test/plugin")
+    try:
+        success, error = await core_lifecycle_td.plugin_manager.load(
+            specified_dir_name=test_plugin_name
+        )
+        assert success, error
+
+        response = await test_client.get(
+            "/api/plugin/readme",
+            query_string={"name": test_plugin_name},
+            headers=authenticated_header,
+        )
+        assert response.status_code == 200
+        data = await response.get_json()
+        assert data["status"] == "ok"
+        assert data["data"]["github_raw_base"] is None
+    finally:
+        try:
+            await core_lifecycle_td.plugin_manager.uninstall_plugin(test_plugin_name)
+        except Exception:
+            builder.cleanup(test_plugin_name)
+
+
 @pytest.mark.asyncio
 async def test_commands_api(app: Quart, authenticated_header: dict):
     """Tests the command management API endpoints."""

From 15612510bbd076c2221f3ebd4ed316a6f44519bf Mon Sep 17 00:00:00 2001
From: clown145 <kisaki520@qq.com>
Date: Tue, 26 May 2026 20:06:46 +0800
Subject: [PATCH 3/6] fix: align plugin readme image source switch

---
 .../src/components/shared/ProxySelector.vue   | 31 +++++++++++++++++--
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/dashboard/src/components/shared/ProxySelector.vue b/dashboard/src/components/shared/ProxySelector.vue
index a993196026..c7025a94eb 100644
--- a/dashboard/src/components/shared/ProxySelector.vue
+++ b/dashboard/src/components/shared/ProxySelector.vue
@@ -46,9 +46,10 @@
             </v-radio-group>
         </div>
     </v-expand-transition>
-    <div v-if="showReadmeImageSetting" class="mt-3">
+    <div v-if="showReadmeImageSetting" class="readme-image-source mt-3">
         <v-switch
             v-model="readmeImageUseGitHub"
+            class="readme-image-source-switch"
             color="primary"
             density="compact"
             hide-details="true"
@@ -233,8 +234,32 @@ export default {
 }
 </script>
 
-<style>
-.v-label {
+<style scoped>
+:deep(.v-label) {
     font-size: 0.875rem;
 }
+
+.readme-image-source {
+    max-width: 100%;
+    overflow: visible;
+    padding-left: 10px;
+}
+
+.readme-image-source-switch {
+    overflow: visible;
+}
+
+.readme-image-source-switch :deep(.v-selection-control) {
+    min-height: 32px;
+    overflow: visible;
+}
+
+.readme-image-source-switch :deep(.v-selection-control__wrapper) {
+    overflow: visible;
+}
+
+.readme-image-source-switch :deep(.v-label) {
+    line-height: 1.35;
+    white-space: normal;
+}
 </style>

From c72650ac01ad83faf3485303d395b6dbda27a594 Mon Sep 17 00:00:00 2001
From: clown145 <kisaki520@qq.com>
Date: Thu, 11 Jun 2026 20:11:14 +0800
Subject: [PATCH 4/6] fix: secure plugin readme asset loading

---
 astrbot/dashboard/routes/plugin.py            | 15 ++++-
 astrbot/dashboard/server.py                   |  2 -
 .../shared/PluginReadmeImageSourceSetting.vue | 55 +++++++------------
 .../src/components/shared/ReadmeDialog.vue    |  2 -
 tests/test_dashboard.py                       | 39 +++++++++++++
 5 files changed, 70 insertions(+), 43 deletions(-)

diff --git a/astrbot/dashboard/routes/plugin.py b/astrbot/dashboard/routes/plugin.py
index 4c73d45d4d..aa0073d27d 100644
--- a/astrbot/dashboard/routes/plugin.py
+++ b/astrbot/dashboard/routes/plugin.py
@@ -215,10 +215,14 @@ def _get_plugin_metadata_by_name(self, plugin_name: str) -> StarMetadata | None:
         return None
 
     def _parse_github_repo_url(self, repo_url: str | None) -> tuple[str, str] | None:
-        if not repo_url:
+        if not isinstance(repo_url, str):
             return None
 
-        parsed = urlsplit(repo_url.strip())
+        normalized_repo_url = repo_url.strip()
+        if not normalized_repo_url:
+            return None
+
+        parsed = urlsplit(normalized_repo_url)
         if parsed.scheme not in ("http", "https"):
             return None
         if parsed.netloc.lower() != "github.com":
@@ -232,6 +236,8 @@ def _parse_github_repo_url(self, repo_url: str | None) -> tuple[str, str] | None
         repo = parts[1].removesuffix(".git")
         if not owner or not repo:
             return None
+        if owner in {".", ".."} or repo in {".", ".."}:
+            return None
         if not GITHUB_REPO_PART_PATTERN.fullmatch(owner):
             return None
         if not GITHUB_REPO_PART_PATTERN.fullmatch(repo):
@@ -409,7 +415,10 @@ async def get_plugin_asset(self):
         if not mimetype or not mimetype.startswith(PLUGIN_ASSET_MIME_PREFIX):
             return await self._plugin_page_error_response(404, "Plugin asset not found")
 
-        return await self._serve_plugin_page_static_asset(file_path)
+        response = await self._serve_plugin_page_static_asset(file_path)
+        if mimetype == "image/svg+xml":
+            response.headers["Content-Security-Policy"] = "default-src 'none'"
+        return response
 
     async def _resolve_plugin_pages_root(
         self,
diff --git a/astrbot/dashboard/server.py b/astrbot/dashboard/server.py
index 5cc3f3100a..a39337b5ff 100644
--- a/astrbot/dashboard/server.py
+++ b/astrbot/dashboard/server.py
@@ -264,8 +264,6 @@ async def auth_middleware(self):
             return None
         is_plugin_page_path = PluginPageAuth.is_protected_path(request.path)
         token = self._extract_dashboard_jwt()
-        if not token and request.path == "/api/plugin/asset":
-            token = request.args.get("token", "").strip()
         if not token and is_plugin_page_path:
             token = PluginPageAuth.extract_asset_token()
         if not token:
diff --git a/dashboard/src/components/shared/PluginReadmeImageSourceSetting.vue b/dashboard/src/components/shared/PluginReadmeImageSourceSetting.vue
index 4128838961..08945f4076 100644
--- a/dashboard/src/components/shared/PluginReadmeImageSourceSetting.vue
+++ b/dashboard/src/components/shared/PluginReadmeImageSourceSetting.vue
@@ -5,7 +5,7 @@
             class="readme-image-source-switch"
             color="primary"
             density="compact"
-            hide-details="true"
+            hide-details
             :label="tm('network.proxySelector.readmeImages.useGitHub')">
         </v-switch>
         <div class="text-caption text-medium-emphasis mt-1">
@@ -14,7 +14,8 @@
     </div>
 </template>
 
-<script>
+<script setup>
+import { computed, ref, watch } from 'vue';
 import { useModuleI18n } from '@/i18n/composables';
 import {
     PLUGIN_README_IMAGE_SOURCE,
@@ -22,42 +23,24 @@ import {
     setPluginReadmeImageSource
 } from '@/utils/githubProxy';
 
-export default {
-    setup() {
-        const { tm } = useModuleI18n('features/settings');
-        return { tm };
-    },
-    data() {
-        return {
-            readmeImageSource: PLUGIN_README_IMAGE_SOURCE.LOCAL,
-            initializing: true,
-        }
-    },
-    computed: {
-        readmeImageUseGitHub: {
-            get() {
-                return this.readmeImageSource === PLUGIN_README_IMAGE_SOURCE.GITHUB;
-            },
-            set(value) {
-                this.readmeImageSource = value
-                    ? PLUGIN_README_IMAGE_SOURCE.GITHUB
-                    : PLUGIN_README_IMAGE_SOURCE.LOCAL;
-            }
-        }
-    },
-    mounted() {
-        this.readmeImageSource = getPluginReadmeImageSource();
-        this.initializing = false;
+const { tm } = useModuleI18n('features/settings');
+
+const readmeImageSource = ref(getPluginReadmeImageSource());
+
+const readmeImageUseGitHub = computed({
+    get() {
+        return readmeImageSource.value === PLUGIN_README_IMAGE_SOURCE.GITHUB;
     },
-    watch: {
-        readmeImageSource: function (newVal) {
-            if (this.initializing) {
-                return;
-            }
-            setPluginReadmeImageSource(newVal);
-        }
+    set(value) {
+        readmeImageSource.value = value
+            ? PLUGIN_README_IMAGE_SOURCE.GITHUB
+            : PLUGIN_README_IMAGE_SOURCE.LOCAL;
     }
-}
+});
+
+watch(readmeImageSource, (newVal) => {
+    setPluginReadmeImageSource(newVal);
+});
 </script>
 
 <style scoped>
diff --git a/dashboard/src/components/shared/ReadmeDialog.vue b/dashboard/src/components/shared/ReadmeDialog.vue
index d3eeaed368..35269d745f 100644
--- a/dashboard/src/components/shared/ReadmeDialog.vue
+++ b/dashboard/src/components/shared/ReadmeDialog.vue
@@ -256,8 +256,6 @@ function getPluginAssetSrc(src) {
     name: props.pluginName,
     path: decodedPath,
   });
-  const token = localStorage.getItem("token");
-  if (token) params.set("token", token);
   return `/api/plugin/asset?${params.toString()}`;
 }
 
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index d434ee41a9..cf7dfc508a 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -1128,6 +1128,24 @@ async def test_plugin_readme_returns_default_branch_github_raw_base(
     )
 
 
+@pytest.mark.parametrize(
+    "repo_url",
+    [
+        None,
+        123,
+        "",
+        "https://github.com/./AstrBot",
+        "https://github.com/../AstrBot",
+        "https://github.com/AstrBotDevs/.",
+        "https://github.com/AstrBotDevs/..",
+    ],
+)
+def test_plugin_readme_github_raw_base_rejects_invalid_repo_url(repo_url):
+    route = PluginRoute.__new__(PluginRoute)
+
+    assert route._build_github_raw_base(repo_url) is None
+
+
 @pytest.mark.asyncio
 async def test_plugin_readme_asset_serves_image_from_plugin_root(
     app: Quart,
@@ -1143,9 +1161,30 @@ async def test_plugin_readme_asset_serves_image_from_plugin_root(
 
     assert response.status_code == 200
     assert response.headers["Content-Type"].startswith("image/svg+xml")
+    assert response.headers["Content-Security-Policy"] == "default-src 'none'"
     assert "<svg" in content
 
 
+@pytest.mark.asyncio
+async def test_plugin_readme_asset_rejects_dashboard_token_query(
+    app: Quart,
+    authenticated_header: dict,
+    registered_plugin_page: StarMetadata,
+):
+    token = authenticated_header["Authorization"].removeprefix("Bearer ")
+    test_client = app.test_client()
+    response = await test_client.get(
+        "/api/plugin/asset",
+        query_string={
+            "name": PLUGIN_PAGE_DEMO_NAME,
+            "path": f"pages/{PLUGIN_PAGE_DEMO_PAGE_NAME}/images/logo.svg",
+            "token": token,
+        },
+    )
+
+    assert response.status_code == 401
+
+
 @pytest.mark.asyncio
 async def test_plugin_readme_asset_blocks_non_images_and_path_traversal(
     app: Quart,

From 11c59d4af0222d9b0110c771de44a7f6d9e167fe Mon Sep 17 00:00:00 2001
From: clown145 <kisaki520@qq.com>
Date: Thu, 11 Jun 2026 21:20:32 +0800
Subject: [PATCH 5/6] fix: harden plugin readme asset handling

---
 astrbot/dashboard/routes/plugin.py               |  2 +-
 dashboard/src/components/shared/ReadmeDialog.vue | 10 ++++++----
 tests/test_dashboard.py                          |  9 +++++++++
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/astrbot/dashboard/routes/plugin.py b/astrbot/dashboard/routes/plugin.py
index 678b6e1b46..62017063c3 100644
--- a/astrbot/dashboard/routes/plugin.py
+++ b/astrbot/dashboard/routes/plugin.py
@@ -225,7 +225,7 @@ def _parse_github_repo_url(self, repo_url: str | None) -> tuple[str, str] | None
         parsed = urlsplit(normalized_repo_url)
         if parsed.scheme not in ("http", "https"):
             return None
-        if parsed.netloc.lower() != "github.com":
+        if parsed.netloc.lower() not in {"github.com", "www.github.com"}:
             return None
 
         parts = [part for part in parsed.path.strip("/").split("/") if part]
diff --git a/dashboard/src/components/shared/ReadmeDialog.vue b/dashboard/src/components/shared/ReadmeDialog.vue
index 35269d745f..336f4fc35f 100644
--- a/dashboard/src/components/shared/ReadmeDialog.vue
+++ b/dashboard/src/components/shared/ReadmeDialog.vue
@@ -192,10 +192,12 @@ function handleReadmeImageSourceChanged() {
 }
 
 onMounted(() => {
-  window.addEventListener(
-    PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT,
-    handleReadmeImageSourceChanged,
-  );
+  if (typeof window !== "undefined") {
+    window.addEventListener(
+      PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT,
+      handleReadmeImageSourceChanged,
+    );
+  }
 });
 
 function isRemoteImageSrc(src) {
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index 7f965afe8b..eb0590b596 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -1801,6 +1801,15 @@ def test_plugin_readme_github_raw_base_rejects_invalid_repo_url(repo_url):
     assert route._build_github_raw_base(repo_url) is None
 
 
+def test_plugin_readme_github_raw_base_accepts_www_github_repo_url():
+    route = PluginRoute.__new__(PluginRoute)
+
+    assert (
+        route._build_github_raw_base("https://www.github.com/AstrBotDevs/AstrBot.git")
+        == "https://github.com/AstrBotDevs/AstrBot/raw/HEAD"
+    )
+
+
 @pytest.mark.asyncio
 async def test_plugin_readme_asset_serves_image_from_plugin_root(
     app: Quart,

From d8b899428753e3db2a3b1e5897d5555c9ac94949 Mon Sep 17 00:00:00 2001
From: clown145 <kisaki520@qq.com>
Date: Thu, 11 Jun 2026 22:23:49 +0800
Subject: [PATCH 6/6] fix: improve plugin readme asset compatibility

---
 astrbot/dashboard/routes/plugin.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/astrbot/dashboard/routes/plugin.py b/astrbot/dashboard/routes/plugin.py
index 62017063c3..3654100670 100644
--- a/astrbot/dashboard/routes/plugin.py
+++ b/astrbot/dashboard/routes/plugin.py
@@ -77,6 +77,9 @@
 _PLUGIN_PAGE_ROOT_DIR_NAME = "pages"
 _PLUGIN_PAGE_ENTRY_FILE_NAME = "index.html"
 
+mimetypes.add_type("image/svg+xml", ".svg")
+mimetypes.add_type("image/webp", ".webp")
+
 
 def _normalize_plugin_page_asset_path(asset_path: str) -> str:
     return PluginRoute._normalize_plugin_page_path(asset_path, allow_empty=True)
@@ -460,7 +463,7 @@ async def get_plugin_asset(self):
         try:
             file_path = await self._resolve_plugin_asset_file(plugin, asset_path)
         except (FileNotFoundError, ValueError, OSError):
-            logger.warning(f"插件资源访问失败: {plugin_name}/{asset_path}")
+            logger.info(f"插件资源访问失败: {plugin_name}/{asset_path}")
             return await self._plugin_page_error_response(404, "Plugin asset not found")
 
         mimetype, _ = mimetypes.guess_type(file_path.name)