Last reviewed: 2026-01-13 | Version: 2.4.0

This extension follows Chrome Extension security best practices and does not exhibit malicious behavior.

• DOMPurify is used for HTML sanitization in content scripts
• User-generated content is escaped using textContent method before rendering
• External links use rel="noopener" to prevent reverse tabnapping

• All data is stored locally using chrome.storage.local
• No data is sent to external servers
• URLs are normalized to strip tracking parameters, but original URLs are preserved

• Downloads use Chrome's downloads API with proper data URL encoding
• Filenames are sanitized (alphanumeric + dashes only, limited length)
• No arbitrary code execution

*<all_urls> host permission is necessary for a web clipper to function on any website. The extension only activates when explicitly triggered by the user.

• The settings import feature accepts JSON files
• A confirmation dialog is shown before applying imported settings
• Imported data is validated before use

• The archive sites list uses innerHTML for rendering
• Site domains are sanitized on input (protocol/path stripped)
• Risk is mitigated by user confirmation during import

When enabled by user:

• Freedium (freedium.cfd) - Medium paywall bypass
• Archive.ph - Paywalled content access

These are disabled by default and require explicit user opt-in.

If you discover a security vulnerability, please:

1. Do not open a public GitHub issue
2. Email the maintainer directly
3. Provide a detailed description and steps to reproduce
4. Allow reasonable time for a fix before disclosure

The extension's CSP is defined in manifest.json:

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'self'"
}

This prevents:

• Inline script execution
• External script loading
• Object/embed abuse

• No new security concerns introduced
• Badge functionality uses standard Chrome APIs
• Custom path setting is handled by Chrome's download API (sandboxed)