bernd32/anime-tracker-qt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

improving safety, Sanitizing input, Validating and sanitizing data, Ensuring proper HTML escaping

Browse Source
This commit is contained in:
Bernd 2025-07-23 20:42:35 +05:00
parent bee297bf19
commit df9085f479
4 changed files with 79 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
anime_backlog.db-shm Normal file
View File

Binary file not shown.

BIN
anime_backlog.db-wal Normal file
View File

Binary file not shown.

63
backend.py
View File

@ -1,6 +1,7 @@
import sqlite3
import csv
import logging
import html
# Set up logging
logging.basicConfig(filename='anime_tracker.log', level=logging.ERROR,
@ -8,7 +9,8 @@ logging.basicConfig(filename='anime_tracker.log', level=logging.ERROR,
class AnimeBackend:
def __init__(self):
self.db = sqlite3.connect('anime_backlog.db')
self.db = sqlite3.connect('anime_backlog.db', isolation_level=None) # Autocommit mode to prevent locks
self.db.execute('PRAGMA journal_mode=WAL') # Use WAL mode for better concurrency
self.create_table()
def create_table(self):
@ -68,25 +70,64 @@ class AnimeBackend:
def add_anime(self, data):
try:
# Sanitize string inputs
sanitized_data = {
'name': html.escape(data['name'].strip()) if data['name'] else '',
'year': data['year'],
'season': data['season'].strip() if data['season'] else '',
'status': data['status'].strip() if data['status'] else 'unwatched',
'type': data['type'].strip() if data['type'] else '',
'comment': html.escape(data['comment'].strip()) if data['comment'] else '',
'url': data['url'].strip() if data['url'] else ''
}
cursor = self.db.cursor()
cursor.execute(
"INSERT INTO anime (name, year, season, status, type, comment, url) VALUES (?, ?, ?, ?, ?, ?, ?)",
(data['name'], data['year'], data['season'], data['status'], data['type'], data['comment'], data['url'])
(
sanitized_data['name'],
sanitized_data['year'],
sanitized_data['season'],
sanitized_data['status'],
sanitized_data['type'],
sanitized_data['comment'],
sanitized_data['url']
)
)
self.db.commit()
except Exception as e:
logging.error(f"Error adding anime: {e}")
self.db.rollback()
def edit_anime(self, anime_id, data):
try:
# Sanitize string inputs
sanitized_data = {
'name': html.escape(data['name'].strip()) if data['name'] else '',
'year': data['year'],
'season': data['season'].strip() if data['season'] else '',
'status': data['status'].strip() if data['status'] else 'unwatched',
'type': data['type'].strip() if data['type'] else '',
'comment': html.escape(data['comment'].strip()) if data['comment'] else '',
'url': data['url'].strip() if data['url'] else ''
}
cursor = self.db.cursor()
cursor.execute(
"UPDATE anime SET name=?, year=?, season=?, status=?, type=?, comment=?, url=? WHERE id=?",
(data['name'], data['year'], data['season'], data['status'], data['type'], data['comment'], data['url'], anime_id)
(
sanitized_data['name'],
sanitized_data['year'],
sanitized_data['season'],
sanitized_data['status'],
sanitized_data['type'],
sanitized_data['comment'],
sanitized_data['url'],
anime_id
)
)
self.db.commit()
except Exception as e:
logging.error(f"Error editing anime id {anime_id}: {e}")
self.db.rollback()
def delete_anime(self, anime_id):
try:
@ -95,6 +136,7 @@ class AnimeBackend:
self.db.commit()
except Exception as e:
logging.error(f"Error deleting anime id {anime_id}: {e}")
self.db.rollback()
def change_status(self, anime_id, new_status):
try:
@ -103,6 +145,7 @@ class AnimeBackend:
self.db.commit()
except Exception as e:
logging.error(f"Error changing status for anime id {anime_id}: {e}")
self.db.rollback()
def add_placeholders_for_year(self, year):
try:
@ -115,6 +158,7 @@ class AnimeBackend:
self.db.commit()
except Exception as e:
logging.error(f"Error adding placeholders for year {year}: {e}")
self.db.rollback()
def import_from_csv(self, file_name):
try:
@ -134,6 +178,13 @@ class AnimeBackend:
year = int(year_str)
except ValueError:
continue
# Sanitize CSV inputs
name = html.escape(name.strip()) if name else ''
season = season.strip() if season else ''
status = status.strip() if status else 'unwatched'
type_ = type_.strip() if type_ else ''
comment = html.escape(comment.strip()) if comment else ''
url = url.strip() if url else ''
cursor.execute(
"SELECT id FROM anime WHERE name = ? AND year = ? AND season = ?",
(name, year, season)
@ -146,6 +197,7 @@ class AnimeBackend:
self.db.commit()
except Exception as e:
logging.error(f"Error importing from CSV {file_name}: {e}")
self.db.rollback()
def export_to_csv(self, file_name):
try:
@ -153,7 +205,7 @@ class AnimeBackend:
cursor.execute("SELECT * FROM anime")
rows = cursor.fetchall()
with open(file_name, 'w', newline='') as f:
writer = csv.writer(f)
writer = csv.writer(f, quoting=csv.QUOTE_MINIMAL)
writer.writerow(['id', 'name', 'year', 'season', 'status', 'type', 'comment', 'url'])
writer.writerows(rows)
except Exception as e:
@ -165,4 +217,5 @@ class AnimeBackend:
cursor.execute("DELETE FROM anime WHERE year = ?", (year,))
self.db.commit()
except Exception as e:
logging.error(f"Error deleting year {year}: {e}")
logging.error(f"Error deleting year {year}: {e}")
self.db.rollback()

30
frontend.py
View File

@ -9,7 +9,7 @@ from PyQt5.QtWidgets import (
QMainWindow, QTabWidget, QScrollArea, QWidget, QVBoxLayout, QTableWidget, QTableWidgetItem,
QLabel, QToolButton, QHBoxLayout, QDialog, QFormLayout, QLineEdit, QSpinBox,
QComboBox, QTextEdit, QDialogButtonBox, QAction, QFileDialog, QMessageBox,
QInputDialog, QApplication, QAbstractItemView, QSizePolicy, QHeaderView, QPushButton
QInputDialog, QApplication, QAbstractItemView, QSizePolicy, QHeaderView
)
from PyQt5.QtCore import Qt, QSettings
from PyQt5.QtGui import QColor, QIcon, QFont
@ -25,6 +25,7 @@ class AnimeDialog(QDialog):
self.setWindowTitle("Add Anime" if entry is None else "Edit Anime")
layout = QFormLayout(self)
self.name_edit = QLineEdit()
self.name_edit.setMaxLength(255) # Prevent overly long inputs
layout.addRow("Name", self.name_edit)
self.year_spin = QSpinBox()
self.year_spin.setRange(1900, 2100)
@ -39,20 +40,23 @@ class AnimeDialog(QDialog):
self.status_combo.addItems(['unwatched', 'watching', 'completed'])
layout.addRow("Status", self.status_combo)
self.comment_edit = QTextEdit()
self.comment_edit.setAcceptRichText(False) # Prevent HTML injection
layout.addRow("Comment", self.comment_edit)
self.url_edit = QLineEdit()
self.url_edit.setMaxLength(2048) # Reasonable limit for URLs
layout.addRow("MAL URL", self.url_edit)
buttons = QDialogButtonBox(QDialogButtonBox.Ok | QDialogButtonBox.Cancel)
buttons.accepted.connect(self.accept)
buttons.rejected.connect(self.reject)
layout.addRow(buttons)
if entry:
self.name_edit.setText(entry[1])
# Unescape for display in input fields
self.name_edit.setText(html.unescape(entry[1]))
self.year_spin.setValue(entry[2])
self.season_combo.setCurrentText(entry[3])
self.status_combo.setCurrentText(entry[4])
self.type_combo.setCurrentText(entry[5] or '')
self.comment_edit.setText(entry[6] or '')
self.comment_edit.setPlainText(html.unescape(entry[6] or ''))
self.url_edit.setText(entry[7] or '')
else:
if default_year is not None:
@ -70,14 +74,15 @@ class AnimeDialog(QDialog):
self.season_combo.setEnabled(True)
def get_data(self):
# Sanitize inputs by escaping special characters
return {
'name': self.name_edit.text(),
'name': html.escape(self.name_edit.text().strip()),
'year': self.year_spin.value(),
'season': self.season_combo.currentText(),
'status': self.status_combo.currentText(),
'type': self.type_combo.currentText(),
'comment': self.comment_edit.toPlainText(),
'url': self.url_edit.text()
'season': html.escape(self.season_combo.currentText().strip()),
'status': html.escape(self.status_combo.currentText().strip()),
'type': html.escape(self.type_combo.currentText().strip()),
'comment': html.escape(self.comment_edit.toPlainText().strip()),
'url': html.escape(self.url_edit.text().strip())
}
class ShortcutsDialog(QDialog):
@ -514,6 +519,7 @@ class AnimeTracker(QMainWindow):
index = self.tab_widget.addTab(year_tab, tab_text)
if completed:
self.tab_widget.tabBar().setTabTextColor(index, QColor('gray'))
self.filter_tables(self.search_text) # Apply search filter after loading tabs
def create_actions_widget(self, anime_id, status):
widget = QWidget()
@ -572,6 +578,9 @@ class AnimeTracker(QMainWindow):
if dialog.exec_() == QDialog.Accepted:
current_id = self.get_current_tab_identifier()
data = dialog.get_data()
if not data['name']:
QMessageBox.warning(self, "Error", "Anime name cannot be empty.")
return
self.backend.add_anime(data)
self.load_tabs()
self.set_current_tab_by_identifier(current_id)
@ -583,6 +592,9 @@ class AnimeTracker(QMainWindow):
dialog = AnimeDialog(self, entry)
if dialog.exec_() == QDialog.Accepted:
data = dialog.get_data()
if not data['name']:
QMessageBox.warning(self, "Error", "Anime name cannot be empty.")
return
self.backend.edit_anime(anime_id, data)
self.load_tabs()
self.set_current_tab_by_identifier(current_id)