fix(mobile): resolve security vulnerabilities and remove sensitive logging

Author: batalabs

apps/mobile/v1/src/hooks/useMasterPassword.ts

@@ -35,39 +35,21 @@ export function useMasterPassword() {
     try {
       setIsChecking(true);
 
-      if (__DEV__) {
-        console.log('🔍 Checking master password status for user:', userId);
-      }
-
       // Check if user has a master password set up
       const hasPassword = await hasMasterPassword(userId);
 
-      if (__DEV__) {
-        console.log('🔐 Has master password:', hasPassword);
-      }
-
       if (!hasPassword) {
         // No master password set up yet
         setIsNewSetup(true);
         setNeedsUnlock(true);
-        if (__DEV__) {
-          console.log('🆕 Setting up new master password');
-        }
       } else {
         // Has master password, check if it's unlocked
         const isUnlocked = await isMasterPasswordUnlocked(userId);
 
-        if (__DEV__) {
-          console.log('🔓 Is master password unlocked:', isUnlocked);
-        }
-
         if (!isUnlocked) {
           // Has password but needs to unlock
           setIsNewSetup(false);
           setNeedsUnlock(true);
-          if (__DEV__) {
-            console.log('🔒 Need to unlock master password');
-          }
         } else {
           // Already unlocked
           setIsNewSetup(false);
@@ -122,7 +104,7 @@ export function useMasterPassword() {
 
   const onPasswordSuccess = async (password: string) => {
     if (__DEV__) {
-      console.log('🔑 onPasswordSuccess called with password length:', password.length);
+      console.log('🔑 onPasswordSuccess called');
       console.log('🔑 userId:', userId);
       console.log('🔑 isNewSetup:', isNewSetup);
     }

apps/mobile/v1/src/screens/FoldersScreen.tsx

@@ -1,15 +1,14 @@
 import React, { useState, useEffect, useRef, useMemo, useCallback } from 'react';
-import { View, Text, StyleSheet, TouchableOpacity, ScrollView, ActivityIndicator, RefreshControl, TextInput, Alert, Keyboard, Animated } from 'react-native';
+import { View, Text, StyleSheet, TouchableOpacity, ScrollView, ActivityIndicator, RefreshControl, Alert, Keyboard, Animated } from 'react-native';
 import AsyncStorage from '@react-native-async-storage/async-storage';
 import * as Haptics from 'expo-haptics';
 import { SafeAreaView } from 'react-native-safe-area-context';
 import { useRouter } from 'expo-router';
 import { useTheme } from '../theme';
 import { Ionicons } from '@expo/vector-icons';
-import { useApiService, type Folder, type Note } from '../services/api';
-import BottomNavigation from '../components/BottomNavigation';
-import { FOLDER_CARD, ACTION_BUTTON, SECTION, FOLDER_COLORS } from '../constants/ui';
-import { BottomSheetModal, BottomSheetView, BottomSheetBackdrop, BottomSheetTextInput, BottomSheetScrollView } from '@gorhom/bottom-sheet';
+import { useApiService, type Folder } from '../services/api';
+import { FOLDER_CARD, ACTION_BUTTON, FOLDER_COLORS } from '../constants/ui';
+import { BottomSheetModal, BottomSheetView, BottomSheetBackdrop, BottomSheetTextInput } from '@gorhom/bottom-sheet';
 
 interface Props {
   navigation?: any;
@@ -107,7 +106,7 @@ export default function FoldersScreen({ navigation }: Props) {
   useEffect(() => {
     loadFoldersData();
     loadViewMode();
-  }, [api]);
+  }, [api, loadFoldersData]);
 
   const loadViewMode = async () => {
     try {
@@ -131,7 +130,7 @@ export default function FoldersScreen({ navigation }: Props) {
     return () => clearTimeout(timer);
   }, [loading]);
 
-  const loadFoldersData = async (isRefresh = false) => {
+  const loadFoldersData = useCallback(async (isRefresh = false) => {
     try {
       if (!isRefresh) {
         setLoading(true);
@@ -199,7 +198,7 @@ export default function FoldersScreen({ navigation }: Props) {
         setLoading(false);
       }
     }
-  };
+  }, [api]);
 
   const onRefresh = async () => {
     try {

apps/mobile/v1/src/screens/NotesListScreen.tsx

@@ -1,13 +1,12 @@
 import React, { useState, useEffect, useRef, useMemo, useCallback } from 'react';
-import { View, Text, ScrollView, StyleSheet, Pressable, Alert, ActivityIndicator, TouchableOpacity, TextInput, RefreshControl, Animated, Platform, Keyboard } from 'react-native';
+import { View, Text, ScrollView, StyleSheet, Pressable, Alert, ActivityIndicator, TouchableOpacity, RefreshControl, Animated, Keyboard } from 'react-native';
 import AsyncStorage from '@react-native-async-storage/async-storage';
 import * as Haptics from 'expo-haptics';
-import { SafeAreaView } from 'react-native-safe-area-context';
 import { useFocusEffect } from '@react-navigation/native';
 import { useTheme } from '../theme';
 import { useApiService, type Note, type Folder } from '../services/api';
 import { Ionicons } from '@expo/vector-icons';
-import { NOTE_CARD, FOLDER_CARD, ACTION_BUTTON, SECTION, FOLDER_COLORS } from '../constants/ui';
+import { NOTE_CARD, FOLDER_CARD, SECTION, FOLDER_COLORS } from '../constants/ui';
 import { BottomSheetModal, BottomSheetView, BottomSheetBackdrop, BottomSheetTextInput } from '@gorhom/bottom-sheet';
 
 interface Props {
@@ -17,42 +16,26 @@ interface Props {
   scrollY?: Animated.Value;
 }
 
-// Helper functions for view types
-function getViewTitle(viewType: string): string {
-  switch (viewType) {
-    case 'all': return 'All Notes';
-    case 'starred': return 'Starred';
-    case 'archived': return 'Archived';
-    case 'trash': return 'Trash';
-    default: return 'Notes';
-  }
-}
-
-function getViewSubtitle(viewType: string): string {
-  switch (viewType) {
-    case 'all': return 'All your active notes';
-    case 'starred': return 'Your starred notes';
-    case 'archived': return 'Your archived notes';
-    case 'trash': return 'Your deleted notes';
-    default: return 'Your secure notes';
-  }
-}
-
 // Helper function to strip HTML tags and decode entities
 function stripHtmlTags(html: string): string {
   if (!html) return '';
 
-  // Remove HTML tags
-  let text = html.replace(/<[^>]*>/g, '');
+  // Remove HTML tags (apply repeatedly to handle nested/incomplete tags)
+  let previous;
+  let text = html;
+  do {
+    previous = text;
+    text = text.replace(/<[^>]*>/g, '');
+  } while (text !== previous);
 
-  // Decode common HTML entities
+  // Decode common HTML entities (decode &amp; last to prevent double-unescaping)
   text = text
-    .replace(/&amp;/g, '&')
     .replace(/&lt;/g, '<')
     .replace(/&gt;/g, '>')
     .replace(/&quot;/g, '"')
     .replace(/&#39;/g, "'")
-    .replace(/&nbsp;/g, ' ');
+    .replace(/&nbsp;/g, ' ')
+    .replace(/&amp;/g, '&');
 
   // Remove extra whitespace and normalize
   text = text.replace(/\s+/g, ' ').trim();
@@ -63,7 +46,7 @@ function stripHtmlTags(html: string): string {
 export default function NotesListScreen({ navigation, route, renderHeader, scrollY: parentScrollY }: Props) {
   const theme = useTheme();
   const api = useApiService();
-  const { folderId, folderName, viewType, searchQuery } = route?.params || {};
+  const { folderId, viewType, searchQuery } = route?.params || {};
 
   const [notes, setNotes] = useState<Note[]>([]);
   const [subfolders, setSubfolders] = useState<Folder[]>([]);
@@ -76,7 +59,6 @@ export default function NotesListScreen({ navigation, route, renderHeader, scrol
   const [newFolderName, setNewFolderName] = useState('');
   const [selectedColor, setSelectedColor] = useState('#3b82f6');
   const [isCreatingFolder, setIsCreatingFolder] = useState(false);
-  const [showFabMenu, setShowFabMenu] = useState(false);
   const [viewMode, setViewMode] = useState<'list' | 'grid'>('list');
 
   // Bottom sheet ref

apps/mobile/v1/src/screens/SettingsScreen.tsx

@@ -1,12 +1,11 @@
 import React, { useState, useRef, useMemo, useCallback, useEffect } from 'react';
 import { View, Text, StyleSheet, TouchableOpacity, ScrollView, Alert, Linking, Animated } from 'react-native';
 import { SafeAreaView } from 'react-native-safe-area-context';
-import { useAuth, useUser } from '@clerk/clerk-expo';
+import { useUser } from '@clerk/clerk-expo';
 import { useRouter } from 'expo-router';
 import { useTheme } from '../theme';
 import { LIGHT_THEME_PRESETS, DARK_THEME_PRESETS } from '../theme/presets';
-import { Button } from '../components/ui/Button';
-import { Card, CardHeader, CardTitle, CardContent } from '../components/ui/Card';
+import { Card } from '../components/ui/Card';
 import { Ionicons } from '@expo/vector-icons';
 import { clearUserEncryptionData } from '../lib/encryption';
 import { forceGlobalMasterPasswordRefresh } from '../hooks/useMasterPassword';