diff --git a/bandit.yml b/bandit.yml
index fce28629e8..b8560e97c8 100644
--- a/bandit.yml
+++ b/bandit.yml
@@ -1 +1 @@
-skips: ['B605', 'B404', 'B603', 'B607']
\ No newline at end of file
+skips: ['E0203', 'B605', 'B404', 'B603', 'B607']
\ No newline at end of file
diff --git a/frappe/core/doctype/comment/comment.js b/frappe/core/doctype/comment/comment.js
index 47e7b2908e..a793f766cb 100644
--- a/frappe/core/doctype/comment/comment.js
+++ b/frappe/core/doctype/comment/comment.js
@@ -2,7 +2,7 @@
 // For license information, please see license.txt
 
 frappe.ui.form.on('Comment', {
-	refresh: function(frm) {
+	// refresh: function(frm) {
 
-	}
+	// }
 });
diff --git a/frappe/core/doctype/comment/comment.py b/frappe/core/doctype/comment/comment.py
index e7b495a863..3280d017f0 100644
--- a/frappe/core/doctype/comment/comment.py
+++ b/frappe/core/doctype/comment/comment.py
@@ -150,7 +150,7 @@ def update_comments_in_parent(reference_doctype, reference_name, _comments):
 	try:
 		# use sql, so that we do not mess with the timestamp
 		frappe.db.sql("""update `tab{0}` set `_comments`=%s where name=%s""".format(reference_doctype),
-			(json.dumps(_comments), reference_name))
+			(json.dumps(_comments[-50:]), reference_name)) # nosec
 
 	except Exception as e:
 		if frappe.db.is_column_missing(e) and getattr(frappe.local, 'request', None):
diff --git a/frappe/core/doctype/comment/test_comment.py b/frappe/core/doctype/comment/test_comment.py
index 98009875ec..0f46f0b3b5 100644
--- a/frappe/core/doctype/comment/test_comment.py
+++ b/frappe/core/doctype/comment/test_comment.py
@@ -32,10 +32,26 @@ class TestComment(unittest.TestCase):
 		from frappe.website.doctype.blog_post.test_blog_post import make_test_blog
 		test_blog = make_test_blog()
 
+		frappe.db.sql("delete from `tabComment` where reference_doctype = 'Blog Post'")
+
 		from frappe.templates.includes.comments.comments import add_comment
 		add_comment('hello', 'test@test.com', 'Good Tester',
 			'Blog Post', test_blog.name, test_blog.route)
 
+		self.assertEqual(frappe.get_all('Comment', fields = ['*'], filters = dict(
+			reference_doctype = test_blog.doctype,
+			reference_name = test_blog.name
+		))[0].published, 1)
+
+		frappe.db.sql("delete from `tabComment` where reference_doctype = 'Blog Post'")
+
+		add_comment('pleez vizits my site http://mysite.com', 'test@test.com', 'bad commentor',
+			'Blog Post', test_blog.name, test_blog.route)
+
+		self.assertEqual(frappe.get_all('Comment', fields = ['*'], filters = dict(
+			reference_doctype = test_blog.doctype,
+			reference_name = test_blog.name
+		))[0].published, 0)
 
 
 
diff --git a/frappe/model/delete_doc.py b/frappe/model/delete_doc.py
index e5490dbd88..0a1ffcdb3c 100644
--- a/frappe/model/delete_doc.py
+++ b/frappe/model/delete_doc.py
@@ -285,7 +285,7 @@ def delete_references(doctype, reference_doctype, reference_name,
 		reference_doctype_field = 'reference_doctype', reference_name_field = 'reference_name'):
 	frappe.db.sql('''delete from `tab{0}`
 		where {1}=%s and {2}=%s'''.format(doctype, reference_doctype_field, reference_name_field),
-		(reference_doctype, reference_name))
+		(reference_doctype, reference_name)) # nosec
 
 def clear_references(doctype, reference_doctype, reference_name,
 		reference_doctype_field = 'reference_doctype', reference_name_field = 'reference_name'):
@@ -295,7 +295,7 @@ def clear_references(doctype, reference_doctype, reference_name,
 			{1}=NULL, {2}=NULL
 		where
 			{1}=%s and {2}=%s'''.format(doctype, reference_doctype_field, reference_name_field),
-		(reference_doctype, reference_name))
+		(reference_doctype, reference_name)) # nosec
 
 
 def insert_feed(doc):
diff --git a/frappe/public/js/frappe/desk.js b/frappe/public/js/frappe/desk.js
index ec01e611d1..d0464d46cd 100644
--- a/frappe/public/js/frappe/desk.js
+++ b/frappe/public/js/frappe/desk.js
@@ -397,7 +397,7 @@ frappe.Application = Class.extend({
 				}
 			});
 			dialog.set_primary_action(__('Login'), () => {
-				me.dialog.set_message(__('Authenticating...'));
+				dialog.set_message(__('Authenticating...'));
 				frappe.call({
 					method: 'login',
 					args: {
diff --git a/frappe/website/doctype/blog_post/test_blog_post.py b/frappe/website/doctype/blog_post/test_blog_post.py
index 27d1089186..3980245c8c 100644
--- a/frappe/website/doctype/blog_post/test_blog_post.py
+++ b/frappe/website/doctype/blog_post/test_blog_post.py
@@ -39,7 +39,7 @@ def make_test_blog():
 			category_name = 'Test Blog Category',
 			title='Test Blog Category')).insert()
 	if not frappe.db.exists('Blogger', 'test-blogger'):
-		blogger = frappe.get_doc(dict(
+		frappe.get_doc(dict(
 			doctype = 'Blogger',
 			short_name='test-blogger',
 			full_name='Test Blogger')).insert()