Support build avatars sourced from non-GitHub URLs #1441

[sagar-pathak]

Description of proposed changes

Users will now be able to define a path to a custom avatar that is not hosted on GitHub through the config file.

Related issue(s)

Related Issue: #1441

• Checks pass
• If making user-facing changes, add a message in CHANGELOG.md summarizing the changes in this PR
• (to be done by a Nextstrain team member) Create preview PRs on downstream repositories.

[jameshadfield]

The changes look ok to me and work well on the datasets I've manually adjusted.

I think React's escaping of strings is enough to prevent XSS but would appreciate 👀 from @joverlee521 and @genehack on this. And also whether to allow base64 encoded images etc, however I think we already allow these in the markdown footer, right?

[genehack]

I think React's escaping of strings is enough to prevent XSS

From what I understand, with the way this is done (setting the src prop value via interpolation), React covers the XSS angle here. (To be clear, I did not try to inject something malicious, like a Base64-encoded hunk of JS, but I don't think that will work in an <img> element the way it would with a <a href.

And also whether to allow base64 encoded images etc, however I think we already allow these in the markdown footer, right?

I think supporting Base64-encoded images would be good; we may need to indicate something about how to do this in some docs somewhere, if we don't already?

I did leave one tweak suggestion on the PR that I think should be added, as a belt-and-suspenders check that somebody didn't stick an array or an object in the JSON instead of the expected string (the same way we check the buildUrl before the regex parsing is attempted).