Security Update

This update implements the following measures to enhance security and protect user data:

• Cross-Site Scripting (XSS) Protection:
  • Implemented the purify.js library for sanitizing HTML and especially SVG content (custom icons, imported data), preventing the execution of malicious scripts.
  • Enhanced escaping of all user input (username, link names/URLs, notes, search queries, search suggestions) using the sanitizeText function to block interpretation as HTML.
  • Prioritized the secure textContent method for inserting text into the DOM; innerHTML is used only after explicit sanitization.
  • Improved validation and sanitization of data when importing settings from JSON files.
• URL Security:
  • Implemented the sanitizeUrl function for strict validation and cleaning of all URLs used in the application (quick links, background, search navigation), blocking unsafe protocols (e.g., javascript:, data: except for images) and incorrect formats.
  • All external links opening in a new tab now use the rel="noopener noreferrer" attributes to protect against tabnabbing attacks and enhance privacy.
• API Security and Data Handling:
  • Interaction with search suggestion APIs (Google, Bing, DDG, Wikipedia) is performed over HTTPS. Requests and responses are sanitized.
  • manifest.json uses Manifest V3, requesting only necessary permissions (storage) and access to specific hosts (host_permissions) for suggestion APIs.
  • Data loaded from browser.storage.local and imported files undergoes validation for correct format and types before use.
• User Confirmations:
  • Added explicit confirmation (confirm()) before deleting quick links and notes to prevent accidental data loss.

UI Improvements

• Improved notes interface.
• Minor UI tweaks for settings and search suggestions.
• Added animations when opening a new tab.
• Fixed an issue where a large number of links on the new tab could push the interface off-screen.