ISFDB Bibliographic Tools / Support Requests / #227 Python3: /common/library.py Security Fixe

#227 Python3: /common/library.py Security Fixe

Milestone: v1.0 (example)

Status: closed

Owner: Al von Ruff

Labels: None

Priority: 5

Updated: 2026-03-23

Created: 2026-02-26

Creator: Al von Ruff

Private: No

Security

**XSS: WikiLink **
user_name was inserted into both the href and display text without escaping. Now URL-encoded in the href via Portable_urllib_quote() and HTML-escaped in the display text via ISFDBText().

XSS: ISFDBprintSubmissionRecord
moderator-entered rejection text was output raw to HTML. Now wrapped with ISFDBText().

SQL identifier injection: ISFDBBadUnicodePatternMatch / suspectUnicodePatternMatch
fieldname was inserted directly into SQL LIKE clauses. Both functions now validate against a compiled regex VALIDFIELDNAME that permits only legal SQL identifiers (optionally table-qualified), raising ValueError on an invalid value.

Correctness / Control Flow

ISFDBprintSubmissionRecord
displayName was set inside a try block, then tested for existence with a second bare try/except — a code smell. Replaced by initializing displayName = 'Unable to determine' before the try block and removing the second try/except entirely.

ISFDBSubmissionDoc
If the XML parse failed, doc was never assigned, causing a NameError in the second try block that was silently swallowed. Added an early return None after the parse failure. Removed the second try/except entirely — getElementsByTagName() returns an empty list rather than raising on a missing tag.

popularNonLatinLanguages / transliteratedReports
Bare raise with no active exception behaves differently between Python 2 (TypeError) and Python 3 (RuntimeError). Replaced with raise ValueError('Unknown type: %s' % types) in both functions.

Robustness: bare except: clauses narrowed

All bare except: clauses replaced with specific exception types:

ISFDBnormalizeDate │ except ValueError:
ISFDBconvertDate (inner) │ except (ValueError, KeyError):
ISFDBconvertDate (outer) │ except (AttributeError, TypeError):
GetElementValue │ except (IndexError, AttributeError):
GetChildValue │ eexcept (IndexError, AttributeError):
TagPresent (outer) │ except (IndexError, AttributeError):
TagPresent (inner) │ except (IndexError, AttributeError, TypeError):
ISFDBFormatImage │ except IndexError:
ConvertPageNumber │ except ValueError:
ISFDBdaysFromToday │ except ValueError:
isfdbUI.PrintHeaders │ except IndexError:

Housekeeping

import re moved from a local import inside FormatNote to module level, and reused by _VALID_FIELD_NAME.

Discussion

Al von Ruff - 2026-03-23

Ticket moved from /p/isfdb/feature-requests/1690/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Anonymous
  
  Add attachments
  Cancel
  You seem to have CSS turned off. Please don't fill out this field.
  
  You seem to have CSS turned off. Please don't fill out this field.

Al von Ruff - 2026-03-23

status: open --> closed

Group: Approved --> v1.0 (example)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Anonymous
  
  Add attachments
  Cancel
  You seem to have CSS turned off. Please don't fill out this field.
  
  You seem to have CSS turned off. Please don't fill out this field.

Anonymous

Python3: /common/library.py Security Fixe

Group

Searches

Help

#227 Python3: /common/library.py Security Fixe

Discussion