Convoro
← Back to extensions

TMDB

Turn a topic into a rich movie or TV page. Title a topic with a film or show name and Convoro pulls the poster, overview, cast, where-to-watch and a trailer from The Movie Database...

Turn a topic into a rich movie or TV page. Title a topic with a film or show name and Convoro pulls the poster, overview, cast, where-to-watch and a trailer from The Movie Database, rendered as a card on the first post. Free first-party extension.

AI security review

Reviewed safe · 96/100
A clean first-party TMDB integration that looks up movie/TV metadata, caches it, and renders a server-side card. Output is consistently HTML-escaped, SQL uses parameterized query builders, and the only external host is the official TMDB API with an admin-provided key.
  • low · Trailer thumbnail/background-image not escaped via CSS context — In tabsHtml(), the YouTube key is escaped with self::e() for the data-yt attribute but interpolated into an inline style background-image url() (and $thumb) where HTML entity escaping does not fully neutralize CSS-context breakout. The key originates from TMDB's API (trusted source) and would need to contain quote/paren characters, so practical risk is minimal, but CSS-context handling would be more robust.
  • low · watch provider 'link' rendered into href — watchHtml() outputs $prov['link'] into an anchor href. The value comes from TMDB's API and is HTML-attribute-escaped with rel=noopener; no javascript: scheme filtering is applied, but source is trusted TMDB data so risk is low.

Automated review of v1.0.0 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.