Recruiting
College-football recruiting tracker for Convoro. Pulls live FBS recruiting rankings from collegefootballdata.com and renders them on a themed page at /recruiting — searchable, filt...
College-football recruiting tracker for Convoro. Pulls live FBS recruiting rankings from collegefootballdata.com and renders them on a themed page at /recruiting — searchable, filterable by position and commitment status, with star ratings, hometowns, committed schools and (optionally) player headshots. Cache-backed with stale-while-revalidate, so the page stays fast and survives CFBD outages.
AI security review
✓
Reviewed safe · 94/100
A well-structured CFBD recruiting tracker that fetches third-party data and renders it server-side with proper output escaping, http(s)-restricted photo URLs, and admin-gated settings. No RCE, SQLi, dynamic includes, hardcoded credentials, or data exfiltration were found.
- low · Outbound scrape of On3 rankings HTML — On3PhotoEnricher.php fetches https://www.on3.com/rivals/rankings/player/football/{year}/ and regex-parses HTML for headshot URLs. The {year} is validated to 4 digits before use, the request target is a fixed host, and it can be disabled via photos_enabled. Honest User-Agent, fails soft. Minor third-party dependency/scraping concern, not a security vulnerability.
- low · Photo URLs accept http (non-TLS) and are rendered as img src — safePhoto() in Extension.php allows both http:// and https:// URLs. URLs come from On3's CDN (on3static.com) parsed map, and values are escaped before insertion into the img src attribute, so risk is low; allowing plain http could load mixed content but no injection vector.
- low · API key stored and reflected in admin HTML — adminPage() echoes the CFBD api_key into a text input (escaped). This is standard admin-only settings behavior; the value is gated behind web/auth/admin middleware. No exfiltration to external hosts observed.
Automated review of v1.0.2 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.