DISCLAIMER: It's fun post, pyscript is great idea, but as everything, security should be some concern.
Let's check how it works:
<!DOCTYPE html> <html> <head> <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" /> <script defer src="https://pyscript.net/alpha/pyscript.js"></script> </head> <body> <py-script src="/test.py"></py-script> </body> </html>
print('as<img src=x onerror=alert(1)>df')
and here we are, with XSS:
Make no mistake, The PyScript, is brilliant product! Just don't forget about security.