DEV Community

Artur Balsam
Artur Balsam

Posted on

PyScript XSS

Run XSS in Your browser

With additional steps

Intro

Last month Anaconda, release the PyScript https://github.com/pyscript/pyscript. Simplifying: The Python in browser, with HTML and JavaScript. Javascript and python, in the browser,. What can possibly can go wrong.

DISCLAIMER: It's fun post, pyscript is great idea, but as everything, security should be some concern.

PyScript XSS

Let's check how it works:
index.html

<!DOCTYPE html>
<html>
    <head>
        <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
        <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
    </head>
    <body>
        <py-script src="/test.py"></py-script>
    </body>
</html>
Enter fullscreen mode Exit fullscreen mode

test.py

print('as<img src=x onerror=alert(1)>df')
Enter fullscreen mode Exit fullscreen mode

and here we are, with XSS:

Image description

Outro

Make no mistake, The PyScript, is brilliant product! Just don't forget about security.

Discussion (0)