Added
- Frontend audit regression coverage now guards the accessibility and rendering fixes from this release: audited frontend files must not reintroduce
innerHTMLassignments, Meals and Budget must use local date keys, shared sub-tabs must wire tabs to panels, settings theme buttons must expose pressed state, and router overlays must stay hidden from keyboard focus when closed. - Shared local date helpers centralize YYYY-MM-DD generation for API payloads, week starts, and day arithmetic without relying on UTC ISO string slicing.
Changed
- More navigation and global search overlays now behave like proper dialogs: closed overlays are inert, open overlays declare modal semantics, focus moves into the active surface, Escape closes them, and focus returns to the launching control.
- Shared sub-tabs now generate stable tab ids, connect each tab to its matching panel with
aria-controlsandaria-labelledby, and keep hidden panel state synchronized with the active tab. - Settings theme buttons now expose
aria-pressedand update that pressed state whenever the active theme changes. - Shopping list creation now uses the existing localized label for its icon-only button instead of a hardcoded German ARIA label.
- Notes, Meals, and the install prompt now render through
replaceChildren(),insertAdjacentHTML(), or DOM APIs instead of assigninginnerHTML, aligning these frontend paths with the project XSS policy.
Fixed
- Meals and Budget no longer derive today, week starts, or payment dates through UTC ISO slicing, preventing off-by-one calendar dates for users west of UTC and around local midnight.
- The PWA install prompt now builds its dismiss icon with SVG DOM APIs and clears shadow content safely, avoiding blocked
innerHTMLassignments. - Hidden More and Search overlay controls are no longer reachable by keyboard or assistive technology while the overlays are closed.