Projects
A showcase where members publish their projects — title, link, image and description — shown as cards on a /projects page, with a latest-projects sidebar widget and admin moderatio...
A showcase where members publish their projects — title, link, image and description — shown as cards on a /projects page, with a latest-projects sidebar widget and admin moderation.
AI security review
✓
Reviewed safe · 92/100
A straightforward member project showcase extension using standard Laravel patterns with proper input validation, output escaping, and authorization checks. No RCE, SQL injection, SSRF, hardcoded credentials, or phone-home behavior found.
- low · Image URL injected into CSS background-image — In src/Extension.php page() and forum.js, user-supplied project.image is interpolated into a CSS background-image:url('...') with only HTML-entity escaping (not CSS-context escaping). The image field is validated as a string (max:2048) rather than a strict URL, so a crafted value could break out of the CSS url() context or use javascript:/data: schemes. Impact is limited (CSS context, escaped quotes), but stricter URL validation/scheme allowlisting is recommended.
- low · Admin gating relies on framework 'admin' middleware — The /admin/ext/projects route is protected by ['web','auth','admin'] middleware and delete uses is_admin/ownership checks. This is correct assuming the host 'admin' middleware is sound; no missing authorization on admin actions was identified within the provided source.
Automated review of v1.1.0 by claude-opus-4-8 2 weeks ago. This is an automated signal to aid your judgment — not a guarantee.