Bandit scanner and fixes

The bandit security scanner was used by Radically Open Security in their audit. This enables bandit on every merge request. Some important warnings are disabled in this merge request because some big things need to be fixed first. The globally disabled warnings were just too pedantic to be useful to us.

There are some unfixed XML DoS issues, that work should probably be combined with moving all the XML parsing to a single XML library. I think lxml should be the one since it is widely available, has fewer DoS issues and seems to be the fastest.