Bump version to 1.0.22-beta with security hardening

Add DOMPurify HTML sanitization across all dangerouslySetInnerHTML
and innerHTML usages. Escape user-controlled values in templates.
Set Mermaid securityLevel to strict, KaTeX trust to false.
Add useShallow selectors to prevent unnecessary re-renders.
Cache loaded images in renderedMarkdown to survive re-renders.
Update website download links and changelog.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: bydb

CHANGELOG.md

@@ -2,6 +2,19 @@
 
 Alle nennenswerten Änderungen an diesem Projekt werden hier dokumentiert.
 
+## [1.0.22-beta] - 2026-02-08
+
+### Security
+- **DOMPurify HTML-Sanitization**: Alle `dangerouslySetInnerHTML`- und `innerHTML`-Ausgaben werden jetzt mit DOMPurify sanitized — verhindert XSS über bösartige Markdown-Dateien, SVGs oder AI-Antworten
+- **SVG-Sanitization**: SVG-Dateien im ImageViewer werden mit spezieller SVG-Sanitization gerendert (Script-Tags, Event-Handler und foreignObject werden entfernt)
+- **HTML-Escaping**: Alle user-kontrollierten Werte (Dateinamen, Notiz-Namen, Fehlermeldungen) in innerHTML-Templates werden jetzt HTML-escaped
+- **Mermaid Security**: `securityLevel` von `loose` auf `strict` geändert — verhindert Click-Callbacks und HTML-Labels in Diagrammen
+- **KaTeX Trust**: `trust` von `true` auf `false` geändert — blockiert potenziell gefährliche KaTeX-Befehle
+- **Zustand Selector-Optimierung**: `useShallow` für Store-Aufrufe im MarkdownEditor — verhindert unnötige Re-Renders bei Panel-Wechseln
+
+### Fixes
+- **Preview-Bilder bei Panel-Wechsel**: Geladene Bilder werden jetzt gecacht und direkt in den HTML-String eingebettet — SVGs/Bilder verschwinden nicht mehr beim Öffnen von Karteikarten oder anderen Panels
+
 ## [1.0.21-beta] - 2026-02-08
 
 ### Features

app/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "mindgraph-notes",
-  "version": "1.0.21-beta",
+  "version": "1.0.22-beta",
   "description": "Eine minimalistische Markdown-Notizen-App mit editierbarer Graph View",
   "main": "out/main/index.js",
   "scripts": {
@@ -80,6 +80,7 @@
     }
   },
   "devDependencies": {
+    "@types/dompurify": "^3.0.5",
     "@types/markdown-it": "^14.1.2",
     "@types/react": "^19.2.8",
     "@types/react-dom": "^19.2.3",
@@ -100,6 +101,7 @@
     "@xterm/addon-fit": "^0.11.0",
     "@xterm/xterm": "^6.0.0",
     "chokidar": "^5.0.0",
+    "dompurify": "^3.3.1",
     "html-to-image": "^1.11.13",
     "katex": "^0.16.27",
     "markdown-it": "^14.1.0",

app/package.json

@@ -7,6 +7,7 @@ import { WidgetType } from '@codemirror/view'
 import type { Note } from '../../../../../shared/types'
 import { renderResult } from '../../../../utils/dataview'
 import { useDataviewStore } from '../../../../stores/dataviewStore'
+import { sanitizeHtml, escapeHtml } from '../../../../utils/sanitize'
 
 export class DataviewWidget extends WidgetType {
   private container: HTMLElement | null = null
@@ -64,7 +65,7 @@ export class DataviewWidget extends WidgetType {
       console.log('[DataviewWidget] Rendered HTML length:', html.length)
 
       if (this.container) {
-        this.container.innerHTML = html
+        this.container.innerHTML = sanitizeHtml(html)
 
         // Add click handlers for note links
         this.setupLinkHandlers()
@@ -74,7 +75,7 @@ export class DataviewWidget extends WidgetType {
       if (this.container) {
         this.container.innerHTML = `<div class="dataview-error">
           <span class="dataview-error-icon">⚠️</span>
-          <span class="dataview-error-message">Error: ${error instanceof Error ? error.message : 'Unknown error'}</span>
+          <span class="dataview-error-message">Error: ${escapeHtml(error instanceof Error ? error.message : 'Unknown error')}</span>
         </div>`
       }
     }

app/src/renderer/components/Editor/MarkdownEditor.tsx

@@ -1,4 +1,5 @@
 import { WidgetType } from '@codemirror/view'
+import { escapeHtml } from '../../../../utils/sanitize'
 
 /**
  * Widget for rendered wikilinks
@@ -390,7 +391,7 @@ export class PdfEmbedWidget extends WidgetType {
           <path d="M4 1C3.45 1 3 1.45 3 2V14C3 14.55 3.45 15 4 15H12C12.55 15 13 14.55 13 14V5.41C13 5.15 12.89 4.9 12.71 4.71L10.29 2.29C10.1 2.11 9.85 2 9.59 2H4Z" fill="#ffebee" stroke="#e53935" strokeWidth="0.8"/>
           <text x="8" y="11" text-anchor="middle" font-size="5" font-weight="bold" fill="#e53935">PDF</text>
         </svg>
-        <span class="lp-pdf-filename">${this.filename}</span>
+        <span class="lp-pdf-filename">${escapeHtml(this.filename)}</span>
       `
       container.appendChild(header)
 
@@ -420,7 +421,7 @@ export class PdfEmbedWidget extends WidgetType {
         console.log('[PdfEmbed] iframe added to container')
       } catch (e) {
         console.error('[PdfEmbed] Error creating PDF view:', e)
-        container.innerHTML += `<div class="lp-pdf-error">Error: ${e}</div>`
+        container.innerHTML += `<div class="lp-pdf-error">Error: ${escapeHtml(String(e))}</div>`
       }
     } else {
       // PDF not found
@@ -430,7 +431,7 @@ export class PdfEmbedWidget extends WidgetType {
             <path d="M4 1C3.45 1 3 1.45 3 2V14C3 14.55 3.45 15 4 15H12C12.55 15 13 14.55 13 14V5.41C13 5.15 12.89 4.9 12.71 4.71L10.29 2.29C10.1 2.11 9.85 2 9.59 2H4Z" fill="#ffebee" stroke="#e53935" strokeWidth="0.8"/>
             <text x="8" y="11" text-anchor="middle" font-size="5" font-weight="bold" fill="#e53935">PDF</text>
           </svg>
-          <span>PDF nicht gefunden: ${this.filename}</span>
+          <span>PDF nicht gefunden: ${escapeHtml(this.filename)}</span>
         </div>
       `
     }

app/src/renderer/components/Editor/extensions/dataview/widget.ts

@@ -1,5 +1,6 @@
 import React, { useEffect, useRef } from 'react'
 import MarkdownIt from 'markdown-it'
+import { sanitizeHtml } from '../../utils/sanitize'
 import texmath from 'markdown-it-texmath'
 import katex from 'katex'
 import 'katex/dist/katex.min.css'
@@ -10,7 +11,7 @@ import mermaid from 'mermaid'
 mermaid.initialize({
   startOnLoad: false,
   theme: 'dark',
-  securityLevel: 'loose',
+  securityLevel: 'strict',
   fontFamily: 'ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, sans-serif'
 })
 
@@ -28,7 +29,7 @@ md.use(texmath, {
   delimiters: 'dollars',  // $...$ für inline, $$...$$ für block
   katexOptions: {
     throwOnError: false,
-    trust: true,
+    trust: false,
     strict: false,
     displayMode: false
   }
@@ -95,7 +96,7 @@ export const MarkdownContent: React.FC<MarkdownContentProps> = ({ content, class
     <div
       ref={containerRef}
       className={`markdown-content ${className}`}
-      dangerouslySetInnerHTML={{ __html: html }}
+      dangerouslySetInnerHTML={{ __html: sanitizeHtml(html) }}
     />
   )
 }

app/src/renderer/components/Editor/extensions/livePreview/widgets.ts

@@ -1,4 +1,5 @@
 import React, { useState, useEffect, useCallback } from 'react'
+import { sanitizeSvg } from '../../utils/sanitize'
 import './ImageViewer.css'
 
 interface ImageViewerProps {
@@ -170,7 +171,7 @@ export const ImageViewer: React.FC<ImageViewerProps> = ({ filePath, fileName })
           <div
             className="image-container svg-container"
             style={{ transform: `scale(${zoom / 100})` }}
-            dangerouslySetInnerHTML={{ __html: svgContent }}
+            dangerouslySetInnerHTML={{ __html: sanitizeSvg(svgContent) }}
           />
         )}
       </div>

app/src/renderer/components/Flashcards/MarkdownContent.tsx

@@ -1,4 +1,5 @@
 import React, { useState, useEffect, useRef, useCallback, useMemo } from 'react'
+import { sanitizeHtml } from '../../utils/sanitize'
 import { useNotesStore } from '../../stores/notesStore'
 import { useUIStore } from '../../stores/uiStore'
 import { useTranslation } from '../../utils/translations'
@@ -474,7 +475,7 @@ export const NotesChat: React.FC<NotesChatProps> = ({ onClose }) => {
                   <div key={idx} className={`notes-chat-message ${msg.role}`}>
                     <div
                       className="notes-chat-message-content markdown-content"
-                      dangerouslySetInnerHTML={{ __html: md.render(msg.content) }}
+                      dangerouslySetInnerHTML={{ __html: sanitizeHtml(md.render(msg.content)) }}
                     />
                     {msg.role === 'assistant' && (
                       <button
@@ -500,7 +501,7 @@ export const NotesChat: React.FC<NotesChatProps> = ({ onClose }) => {
                   <div className="notes-chat-message assistant streaming">
                     <div
                       className="notes-chat-message-content markdown-content"
-                      dangerouslySetInnerHTML={{ __html: md.render(streamingContent) + '<span class="notes-chat-cursor">|</span>' }}
+                      dangerouslySetInnerHTML={{ __html: sanitizeHtml(md.render(streamingContent)) + '<span class="notes-chat-cursor">|</span>' }}
                     />
                   </div>
                 )}

app/src/renderer/components/ImageViewer/ImageViewer.tsx

@@ -1,5 +1,6 @@
 import React, { useState, useEffect, useMemo } from 'react'
 import MarkdownIt from 'markdown-it'
+import { sanitizeHtml } from '../../utils/sanitize'
 import { useUIStore } from '../../stores/uiStore'
 import { useTranslation } from '../../utils/translations'
 
@@ -79,7 +80,7 @@ export const WhatsNew: React.FC = () => {
           ) : content ? (
             <div
               className="whats-new-markdown"
-              dangerouslySetInnerHTML={{ __html: renderedContent }}
+              dangerouslySetInnerHTML={{ __html: sanitizeHtml(renderedContent) }}
             />
           ) : (
             <div className="whats-new-empty">{t('whatsNew.noContent')}</div>