[arcticfox]

Also, just because we're on Hacker News, it doesn't mean every reader is equipped to audit code for security vulnerabilities.

Presumably that's the job of a professional security developer that might reasonably be expected to have checked their own similar product for this vulnerability...

[throwanem]

Fair. I would, though, expect someone whose HN profile identifies him as an experienced full-stack engineer to be up to the challenge of spotting something as basic as an extension injecting code into untrusted DOM and trusting the results that code gives back.

[juandazapata]

Chill. There's no need to bash other people's expertise. We get it, you're an expert in the domain, but this is adding nothing to the conversation.