From 536e0771a4efe5eba847ac748b9c03c4d01b8bf7 Mon Sep 17 00:00:00 2001 From: JonKazama-Hellion Date: Thu, 16 Apr 2026 20:28:22 +0200 Subject: [PATCH] =?UTF-8?q?chore(release):=20bump=20version=20to=20v2.0.1?= =?UTF-8?q?=20=E2=80=94=20hardening=20release?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security fixes, widget event system, local favicons, i18n completeness, backdrop-filter fallback, code quality improvements. See CHANGELOG.md. --- CHANGELOG.md | 23 +++++++++++++++++++++++ manifest.firefox.json | 2 +- manifest.json | 2 +- manifest.opera.json | 2 +- src/js/app.js | 2 +- 5 files changed, 27 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79db7e6..9f142e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,29 @@ All notable changes per version. Format based on [Keep a Changelog](https://keep --- +### v2.0.1 — 16.04.2026 + +#### Security + +- **Background URL validation** — Only `blob:` and `data:image/` protocols allowed in CSS `backgroundImage` (prevents CSS injection via manipulated storage) +- **Import URL validation** — `javascript:`, `data:`, and other unsafe protocols are blocked during JSON import +- **Immutable import mapping** — Imported boards, bookmarks, and notes are sanitized with explicit field selection and string length limits + +#### Fixed + +- **Widget minimize race condition** — Replaced `setTimeout` with `transitionend` event; `openWidget()` during animation no longer causes display glitch +- **Notes import mutation** — Import now uses `Notes.init()` instead of directly setting `Notes._notes` +- **Complete i18n coverage** — 5 header button tooltips and 3 settings button texts now have `data-i18n` attributes (10 new translation keys) + +#### Changed + +- **Widget event system** — `WidgetManager` now dispatches `widget:close`, `widget:minimize`, `widget:open` CustomEvents via `EventTarget`. Calculator, Timer, and ImageRef use `WidgetManager.on()` instead of monkey-patching +- **Local favicon icons** — Replaced Google Favicons API with local colored letter icons (deterministic hue per title). Zero external network requests, Brave Shields compatible +- **backdrop-filter fallback** — `@supports not (backdrop-filter)` block with `--bg-solid-fallback` per theme for Brave Shields compatibility +- **Clock interval cleanup** — `setInterval` ID stored in variable + +--- + ### v2.0.0 — 22.03.2026 #### New Features diff --git a/manifest.firefox.json b/manifest.firefox.json index 1bcae52..af05674 100644 --- a/manifest.firefox.json +++ b/manifest.firefox.json @@ -2,7 +2,7 @@ "manifest_version": 3, "name": "__MSG_extName__", "default_locale": "en", - "version": "2.0.0", + "version": "2.0.1", "description": "__MSG_extDesc__", "author": "Hellion Online Media - Florian Wathling", "homepage_url": "https://hellion-media.de", diff --git a/manifest.json b/manifest.json index ed2dfeb..bb4466e 100644 --- a/manifest.json +++ b/manifest.json @@ -2,7 +2,7 @@ "manifest_version": 3, "name": "__MSG_extName__", "default_locale": "en", - "version": "2.0.0", + "version": "2.0.1", "description": "__MSG_extDesc__", "author": "Hellion Online Media - Florian Wathling", "homepage_url": "https://hellion-media.de", diff --git a/manifest.opera.json b/manifest.opera.json index f0b9cbc..7cd00a5 100644 --- a/manifest.opera.json +++ b/manifest.opera.json @@ -2,7 +2,7 @@ "manifest_version": 3, "name": "__MSG_extName__", "default_locale": "en", - "version": "2.0.0", + "version": "2.0.1", "description": "__MSG_extDesc__", "author": "Hellion Online Media - Florian Wathling", "homepage_url": "https://hellion-media.de", diff --git a/src/js/app.js b/src/js/app.js index dd16d25..920a9cd 100644 --- a/src/js/app.js +++ b/src/js/app.js @@ -132,7 +132,7 @@ function startClock() { `${t(DAY_KEYS[now.getDay()])}, ${String(now.getDate()).padStart(2,'0')}. ${t(MONTH_KEYS[now.getMonth()])}`; } tick(); - setInterval(tick, 1000); + const clockInterval = setInterval(tick, 1000); } // ---- GLOBALE EVENTS (Header-Buttons, Modals, Import) ----