Here are some things Bryan noticed missing in the code. Logging them here to track them properly.
- Add a LICENSE file
- Use a framework for request routing (slim, most likely)
- Escape strings coming from the database (see hsc() here) (Twig takes care of this)
- Use prepared statements for SQL queries to avoid SQL-injection attack
- URL-encode string-concatenated URLs
- Add lint, checkstyle in composer.json and run them via travis-ci - running lint and phpunit tests (todo-integrate mediawiki-codesniffer tests at some point)
Feel free to edit this list if you can think of more things I should be fixing in general.