diff --git a/src/components/IdentityGraph.svelte b/src/components/IdentityGraph.svelte
index ccf2e90..dcf0e1d 100644
--- a/src/components/IdentityGraph.svelte
+++ b/src/components/IdentityGraph.svelte
@@ -478,11 +478,15 @@
 		try {
 			const decoded = atob(encoded);
 			const data = JSON.parse(decoded);
+
+			if (!data || typeof data !== 'object') return false;
+			if (!Array.isArray(data.nodes) || !Array.isArray(data.links)) return false;
+
 			if (data.nodes && data.links) {
 				pushState();
 				nodes = normalizeNodes(data.nodes);
 				links = data.links;
-				if (data.transform) {
+				if (data.transform && typeof data.transform === 'object') {
 					transform = data.transform;
 				} else {
 					centerView();
@@ -1044,9 +1048,22 @@
 		};
 	}
 
+	function isValidImageUrl(url: string): boolean {
+		if (!url || typeof url !== 'string') return false;
+		const trimmed = url.trim();
+		if (!trimmed) return false;
+
+		if (trimmed.startsWith('javascript:')) return false;
+		if (trimmed.startsWith('data:')) {
+			return trimmed.startsWith('data:image/');
+		}
+		return trimmed.startsWith('http://') || trimmed.startsWith('https://');
+	}
+
 	function normalizeNodes(nodesToNormalize: Node[]): Node[] {
 		return nodesToNormalize.map((node) => ({
 			...node,
+			imageUrl: node.imageUrl && isValidImageUrl(node.imageUrl) ? node.imageUrl : undefined,
 			showLabel: node.showLabel !== undefined ? node.showLabel : true,
 			showType: node.showType !== undefined ? node.showType : true,
 			showNotes: node.showNotes !== undefined ? node.showNotes : true,