Convoro
← Back to extensions

Page Builder

A premium drag-and-drop page builder + content CMS for Convoro. Design beautiful custom pages with a live, in-context visual editor and a rich block library (hero, gallery, columns...

A premium drag-and-drop page builder + content CMS for Convoro. Design beautiful custom pages with a live, in-context visual editor and a rich block library (hero, gallery, columns, accordion, embeds, forum widgets and more) — every block themed by your forum's colours. Plus a full Content Types CMS: define your own record types with custom fields, categories, and auto-generated listing + detail pages. Set any page as your homepage.

AI security review

Reviewed safe · 88/100
A legitimate first-party-style page builder/CMS extension. Authorization is consistently enforced on manage/admin routes, output is escaped, and the only network call is a license check to the configured store URL. Minor caution items: stored-XSS surface via richtext/custom-HTML blocks and use of @vite-ignore dynamic import (server-controlled URL).
  • low · Custom HTML / richtext sanitizer is regex-based — Blocks::safeHtml() and ContentController::fieldValueHtml() strip <script>, on* handlers and javascript: via regex only. The 'html' and 'richtext' blocks are manager-authored (gated by page-builder.manage), so this is limited privilege, but regex sanitization can be bypassed (e.g. svg/style/data-URI vectors), allowing persistent script in public pages.
  • low · import(/* @vite-ignore */ cfg.editorUrl) — forum.js dynamically imports cfg.editorUrl. The URL originates server-side from Extension::renderPage (route('pb.editor.js')) so it is not user-controlled in practice, but it is a dynamic module load worth noting.
  • low · License validation phones home to store URL — Extension::licensed() POSTs the license key + package name to config('convoro.store_url')/api/licenses/validate with a 6s timeout. Only the license key is sent, no user data; endpoint is from app config, not hardcoded external host. Fails open on network error.
  • low · Image upload delegated to core endpoint — Uploads go to core /uploads/image; extension does not implement file write itself, so no arbitrary file write surface here.

Automated review of v1.0.0 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.