#1687 Python3: /common/login.py Security Fixes

[Al von Ruff]

Security fixes for login.py

XSS — LoginPage hidden inputs

The executable and argument parameters were interpolated directly into HTML attribute values without escaping. A crafted value could break out of the attribute and inject arbitrary HTML or JavaScript. Both values are now passed through ISFDBText(..., True), which escapes <, >, &, and " using the standard cgi.escape/html.escape path (Python 2/3 compatible).

Session cookies — missing HttpOnly and Secure flags

All Set-Cookie headers for isfdbUserID, isfdbUserName, isfdbToken, and isfdbDisplayTranslations were missing both flags:

• HttpOnly — prevents client-side JavaScript from reading session cookies, limiting the impact of any XSS.
• Secure — restricts cookies to HTTPS connections, preventing transmission in cleartext.

Both flags are now applied consistently across setDomainCookies, clearDomainCookies, and User.translation_cookies. The clear (logout) path also carries the flags, since browsers require a replacement cookie to match the security attributes of the original in order to properly overwrite it.

Protocol-aware Secure flag

To support private/home-server deployments that run without a TLS certificate, the Secure flag is now conditional on the PROTOCOL setting in localdefs.py. A new module-level constant COOKIESECURE evaluates to '; HttpOnly; Secure' when PROTOCOL == 'https' and '; HttpOnly' otherwise. No
changes to localdefs.py or any other file are required for HTTP deployments.