internetarchive/openlibrary

refactor: convert Follow.html from macro to template for better security and type safety

Open

#12634 opened on May 5, 2026

View on GitHub
 (4 comments) (0 reactions) (1 assignee)Python (4,626 stars) (1,172 forks)batch import
Good First IssueLead: @mekarpelesNeeds: BreakdownNeeds: ResponseNeeds: Review AssigneePriority: 3Type: Bug

Description

Context

Follow.html is currently a macro (openlibrary/macros/Follow.html) that accepts a link_track parameter and injects it directly into an HTML attribute string. This was flagged during review of #12367.

Jim Champ (jimchamp) noted:

If a macro receives an argument of an object, maybe it should be a template (i.e. security, avoid untypable/uncheckable args)

Problem

  1. Attribute injection: The macro builds a raw attribute string via 'data-ol-link-track="%s"' % link_track — if link_track ever contains ", <, or >, it can break markup. (#12367 adds a .replace('"', '&quot;') bandage, but this pattern is fragile.)

  2. Uncheckable args: Macros in web.py accept positional/keyword args but have no type annotations or input validation — any caller can pass arbitrary objects and the error won't surface until render time.

  3. Injection surface: As a macro callable from any template, Follow.html is harder to audit for misuse than a template, which has a defined call signature and is invoked via render_template().

Proposed Fix

Convert openlibrary/macros/Follow.htmlopenlibrary/templates/follow/follow.html (or similar path under templates).

Benefits:

  • Native template attribute rendering (data-ol-link-track="$link_track") auto-escapes the value via web.py's $ interpolation, eliminating the attribute injection risk without a manual workaround
  • Templates are rendered via render_template() which is more auditable
  • Type-checkable signature

Related

  • Flagged during review of PR #12367 (adds link_track parameter to Follow macro)
  • Copilot thread: interprets as XSS vector

Contributor guide

Tech stack
pythonhtml
Domain
backendsecurity
Issue type
refactor
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Python basicsweb.py template systemHTML escaping
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Review the existing macro at openlibrary/macros/Follow.html and the proposed new location openlibrary/templates/follow/follow.html. Analyze PR #12367 to understand the link track parameter usage. Implement the conversion ensuring proper escaping via web.py's template engine. Update any templates that currently call the macro to use the new template rendering approach.