apply security audit

frontend/src/components/dashboard/BookStackRecentWidget.tsx

@@ -13,13 +13,14 @@ import { formatDistanceToNow } from 'date-fns';
 import { de } from 'date-fns/locale';
 import { bookstackApi } from '../../services/bookstack';
 import type { BookStackPage } from '../../types/bookstack.types';
+import { safeOpenUrl } from '../../utils/safeOpenUrl';
 
 const PageRow: React.FC<{ page: BookStackPage; showDivider: boolean }> = ({
   page,
   showDivider,
 }) => {
   const handleClick = () => {
-    window.open(page.url, '_blank', 'noopener,noreferrer');
+    safeOpenUrl(page.url);
   };
 
   const relativeTime = page.updated_at

frontend/src/components/dashboard/BookStackSearchWidget.tsx

@@ -14,6 +14,7 @@ import { Search, MenuBook } from '@mui/icons-material';
 import { useQuery } from '@tanstack/react-query';
 import { bookstackApi } from '../../services/bookstack';
 import type { BookStackSearchResult } from '../../types/bookstack.types';
+import { safeOpenUrl } from '../../utils/safeOpenUrl';
 
 function stripHtml(html: string): string {
   return html.replace(/<[^>]*>/g, '').trim();
@@ -28,7 +29,7 @@ const ResultRow: React.FC<{ result: BookStackSearchResult; showDivider: boolean
   return (
     <>
       <Box
-        onClick={() => window.open(result.url, '_blank', 'noopener,noreferrer')}
+        onClick={() => safeOpenUrl(result.url)}
         sx={{
           py: 1.5,
           px: 1,

frontend/src/components/dashboard/NextcloudTalkWidget.tsx

@@ -18,6 +18,7 @@ import { formatDistanceToNow } from 'date-fns';
 import { de } from 'date-fns/locale';
 import { nextcloudApi } from '../../services/nextcloud';
 import type { NextcloudConversation } from '../../types/nextcloud.types';
+import { safeOpenUrl } from '../../utils/safeOpenUrl';
 
 const POLL_INTERVAL = 2000;
 const POLL_TIMEOUT = 5 * 60 * 1000;
@@ -27,7 +28,7 @@ const ConversationRow: React.FC<{ conversation: NextcloudConversation; showDivid
   showDivider,
 }) => {
   const handleClick = () => {
-    window.open(conversation.url, '_blank', 'noopener,noreferrer');
+    safeOpenUrl(conversation.url);
   };
 
   const relativeTime = conversation.lastMessage

frontend/src/components/dashboard/VikunjaMyTasksWidget.tsx

@@ -14,6 +14,7 @@ import { format, isPast } from 'date-fns';
 import { de } from 'date-fns/locale';
 import { vikunjaApi } from '../../services/vikunja';
 import type { VikunjaTask } from '../../types/vikunja.types';
+import { safeOpenUrl } from '../../utils/safeOpenUrl';
 
 const PRIORITY_LABELS: Record<number, { label: string; color: 'default' | 'warning' | 'error' }> = {
   0: { label: 'Keine', color: 'default' },
@@ -30,7 +31,7 @@ const TaskRow: React.FC<{ task: VikunjaTask; showDivider: boolean; vikunjaUrl: s
   vikunjaUrl,
 }) => {
   const handleClick = () => {
-    window.open(`${vikunjaUrl}/tasks/${task.id}`, '_blank', 'noopener,noreferrer');
+    safeOpenUrl(`${vikunjaUrl}/tasks/${task.id}`);
   };
 
   const dueDateStr = task.due_date