fix: resolve critical XSS vulnerabilities and code quality issues

  - Fix XSS vulnerability in note preview by replacing innerHTML with safe DOMParser
  - Fix XSS vulnerability in print functionality using secure DOM manipulation
  - Remove duplicate clear() method in MessageAuthenticator class
  - Preserve readable spacing in note card previews by handling block elements
  - Add proper spacing for paragraphs, headings, and line breaks in text extraction
  - Enhance security by using textContent and DOM methods instead of string injection

Author: batalabs

src/components/common/WebSocketStatus.tsx

@@ -1,4 +1,11 @@
-import { Wifi, WifiOff, RefreshCw, AlertCircle, CheckCircle, Clock } from 'lucide-react';
+import {
+  Wifi,
+  WifiOff,
+  RefreshCw,
+  AlertCircle,
+  CheckCircle,
+  Clock,
+} from 'lucide-react';
 import {
   DropdownMenu,
   DropdownMenuContent,
@@ -23,7 +30,11 @@ interface WebSocketStatusProps {
   showDetails?: boolean;
 }
 
-const getStatusIcon = (_status: WebSocketStatus, isConnected: boolean, isAuthenticated: boolean) => {
+const getStatusIcon = (
+  _status: WebSocketStatus,
+  isConnected: boolean,
+  isAuthenticated: boolean
+) => {
   // Keep wifi icons but with proper colors
   const isConnectedAndAuth = isConnected && isAuthenticated;
 
@@ -36,14 +47,16 @@ const getStatusIcon = (_status: WebSocketStatus, isConnected: boolean, isAuthent
 
 const getStatusText = (status: WebSocketStatus, isAuthenticated: boolean) => {
   // Simplified: only show Connected or Disconnected
-  const isConnectedAndAuth = (status === 'connected' || status === 'authenticated') && isAuthenticated;
+  const isConnectedAndAuth =
+    (status === 'connected' || status === 'authenticated') && isAuthenticated;
 
   return isConnectedAndAuth ? 'Connected' : 'Disconnected';
 };
 
 const getStatusColor = (status: WebSocketStatus, isAuthenticated: boolean) => {
   // Simplified: green for connected, gray for disconnected
-  const isConnectedAndAuth = (status === 'connected' || status === 'authenticated') && isAuthenticated;
+  const isConnectedAndAuth =
+    (status === 'connected' || status === 'authenticated') && isAuthenticated;
 
   return isConnectedAndAuth ? 'text-green-600' : 'text-gray-500';
 };
@@ -93,25 +106,26 @@ export function WebSocketStatus({
   return (
     <DropdownMenu>
       <DropdownMenuTrigger asChild>
-        <div className="flex items-center gap-1 px-1.5 py-0.5 hover:bg-muted rounded cursor-default" title={statusText}>
+        <div
+          className="hover:bg-muted flex cursor-default items-center gap-1 rounded px-1.5 py-0.5"
+          title={statusText}
+        >
           {statusIcon}
-          <span className="hidden sm:inline">
-            {statusText}
-          </span>
+          <span className="hidden sm:inline">{statusText}</span>
         </div>
       </DropdownMenuTrigger>
       <DropdownMenuContent align="end" className="w-64">
         <div className="p-2">
-          <div className="flex items-center gap-2 mb-2">
+          <div className="mb-2 flex items-center gap-2">
             {statusIcon}
             <span className={`text-sm font-medium ${statusColor}`}>
               {statusText}
             </span>
           </div>
 
           {error && (
-            <div className="mb-2 p-2 bg-red-50 border border-red-200 rounded text-xs text-red-700">
-              <div className="font-medium mb-1">Error:</div>
+            <div className="mb-2 rounded border border-red-200 bg-red-50 p-2 text-xs text-red-700">
+              <div className="mb-1 font-medium">Error:</div>
               <div>{error}</div>
             </div>
           )}
@@ -187,20 +201,19 @@ export function WebSocketStatusCompact({
   isAuthenticated,
   lastSync,
 }: Pick<WebSocketStatusProps, 'status' | 'isAuthenticated' | 'lastSync'>) {
-  const isConnectedAndAuth = (status === 'connected' || status === 'authenticated') && isAuthenticated;
+  const isConnectedAndAuth =
+    (status === 'connected' || status === 'authenticated') && isAuthenticated;
   const statusIcon = getStatusIcon(status, isConnectedAndAuth, isAuthenticated);
   const statusText = isConnectedAndAuth ? 'Connected' : 'Disconnected';
 
   return (
     <div className="flex items-center gap-1">
       <div
-        className="flex items-center gap-1 px-1.5 py-0.5 rounded cursor-default"
+        className="flex cursor-default items-center gap-1 rounded px-1.5 py-0.5"
         title={`${statusText}${lastSync ? ` • Last sync: ${formatLastSync(lastSync)}` : ''}`}
       >
         {statusIcon}
-        <span className="hidden sm:inline">
-          {statusText}
-        </span>
+        <span className="hidden sm:inline">{statusText}</span>
       </div>
     </div>
   );
@@ -209,15 +222,15 @@ export function WebSocketStatusCompact({
 // Sync indicator for showing when sync is in progress
 export function SyncIndicator({
   isVisible,
-  message = 'Syncing...'
+  message = 'Syncing...',
 }: {
   isVisible: boolean;
   message?: string;
 }) {
   if (!isVisible) return null;
 
   return (
-    <div className="flex items-center gap-2 px-2 py-1 bg-blue-50 border border-blue-200 rounded text-xs text-blue-700">
+    <div className="flex items-center gap-2 rounded border border-blue-200 bg-blue-50 px-2 py-1 text-xs text-blue-700">
       <RefreshCw className="h-3 w-3 animate-spin" />
       <span>{message}</span>
     </div>
@@ -251,15 +264,17 @@ export function SyncNotification({
   };
 
   return (
-    <div className={`fixed top-4 right-4 z-50 flex items-center gap-2 px-3 py-2 border rounded shadow-sm ${colors[type]} max-w-sm`}>
+    <div
+      className={`fixed top-4 right-4 z-50 flex items-center gap-2 rounded border px-3 py-2 shadow-sm ${colors[type]} max-w-sm`}
+    >
       {icons[type]}
-      <span className="text-sm flex-1">{message}</span>
+      <span className="flex-1 text-sm">{message}</span>
       <button
         onClick={onDismiss}
-        className="text-gray-500 hover:text-gray-700 ml-2"
+        className="ml-2 text-gray-500 hover:text-gray-700"
       >
         ×
       </button>
     </div>
   );
-}
+}

src/components/editor/Editor/StatusBar.tsx

@@ -39,68 +39,77 @@ export function StatusBar({
   onWsReconnect,
 }: StatusBarProps) {
   return (
-    <div className="border-t bg-primary/5 dark:bg-primary/10 px-3 py-0.5 flex items-center justify-between text-[11px] font-sans">
+    <div className="bg-primary/5 dark:bg-primary/10 flex items-center justify-between border-t px-3 py-0.5 font-sans text-[11px]">
       {/* Left side - Word, character count, and reading time */}
       <div className="flex items-center gap-3">
         {(wordCount > 0 || charCount > 0) && (
           <>
-            <span className="hover:bg-muted px-1.5 py-0.5 rounded cursor-default">
+            <span className="hover:bg-muted cursor-default rounded px-1.5 py-0.5">
               {wordCount} {wordCount === 1 ? 'word' : 'words'}
             </span>
-            <span className="hover:bg-muted px-1.5 py-0.5 rounded cursor-default">
+            <span className="hover:bg-muted cursor-default rounded px-1.5 py-0.5">
               {charCount} {charCount === 1 ? 'character' : 'characters'}
             </span>
           </>
         )}
         {readingTime > 0 && (
-          <span className="hover:bg-muted px-1.5 py-0.5 rounded cursor-default" title="Estimated reading time">
+          <span
+            className="hover:bg-muted cursor-default rounded px-1.5 py-0.5"
+            title="Estimated reading time"
+          >
             ~{readingTime} min read
           </span>
         )}
       </div>
-      
+
       {/* Right side - Scroll percentage, zoom controls, and save status */}
       <div className="flex items-center gap-3">
         {scrollPercentage > 0 && (
-          <span className="hover:bg-muted px-1.5 py-0.5 rounded cursor-default" title="Scroll position">
+          <span
+            className="hover:bg-muted cursor-default rounded px-1.5 py-0.5"
+            title="Scroll position"
+          >
             {scrollPercentage}%
           </span>
         )}
-        
+
         {/* Note ID */}
         {noteId && (
-          <span className="hover:bg-muted px-1.5 py-0.5 rounded cursor-default" title="Note ID">
+          <span
+            className="hover:bg-muted cursor-default rounded px-1.5 py-0.5"
+            title="Note ID"
+          >
             {noteId}
           </span>
         )}
-        
+
         {/* Zoom controls */}
         <div className="flex items-center gap-1">
           <button
             onClick={onZoomOut}
-            className="hover:bg-muted p-1 rounded cursor-pointer text-muted-foreground hover:text-foreground transition-colors"
+            className="hover:bg-muted text-muted-foreground hover:text-foreground cursor-pointer rounded p-1 transition-colors"
             title="Zoom out"
             disabled={zoomLevel <= 50}
           >
             <Minus className="h-3 w-3" />
           </button>
-          <span 
-            className="hover:bg-muted px-1.5 py-0.5 rounded cursor-pointer min-w-[45px] text-center"
+          <span
+            className="hover:bg-muted min-w-[45px] cursor-pointer rounded px-1.5 py-0.5 text-center"
             onClick={onResetZoom}
             title="Click to reset zoom"
           >
             {zoomLevel}%
           </span>
           <button
             onClick={onZoomIn}
-            className="hover:bg-muted p-1 rounded cursor-pointer text-muted-foreground hover:text-foreground transition-colors"
+            className="hover:bg-muted text-muted-foreground hover:text-foreground cursor-pointer rounded p-1 transition-colors"
             title="Zoom in"
             disabled={zoomLevel >= 200}
           >
             <Plus className="h-3 w-3" />
           </button>
         </div>
-        
+
         {/* WebSocket sync status */}
         {wsStatus && onWsReconnect && (
           <WebSocketStatusCompact
@@ -111,14 +120,19 @@ export function StatusBar({
         )}
 
         {/* Save status */}
-        <div className="flex items-center gap-1 px-1.5 py-0.5 hover:bg-muted rounded cursor-default" title={
-          saveStatus === 'saving' ? 'Saving changes...' :
-          saveStatus === 'saved' ? 'All changes saved' :
-          'Error saving changes'
-        }>
+        <div
+          className="hover:bg-muted flex cursor-default items-center gap-1 rounded px-1.5 py-0.5"
+          title={
+            saveStatus === 'saving'
+              ? 'Saving changes...'
+              : saveStatus === 'saved'
+                ? 'All changes saved'
+                : 'Error saving changes'
+          }
+        >
           {saveStatus === 'saving' && (
             <>
-              <div className="h-1.5 w-1.5 rounded-full bg-orange-500 animate-pulse" />
+              <div className="h-1.5 w-1.5 animate-pulse rounded-full bg-orange-500" />
               <span>Saving</span>
             </>
           )}
@@ -138,4 +152,4 @@ export function StatusBar({
       </div>
     </div>
   );
-}
+}