DEV Community

Tomasz Wegrzanowski
Tomasz Wegrzanowski

Posted on

Open Source Adventures: Episode 58: PyScript: First Impressions

An alpha version of PyScript just came out, with tagline "Run Python in Your HTML". Let's check it out.

Documentation is mostly all wrong, so there's a lot of steps to get it even running.

Download

The download instructions are:

  • Download PyScript now
  • Unzip the downloaded file
  • Copy the assets you want to use and add the following lines to your html file

There's just one problem, there are no asset files in that zip.

So instead we need to manually download https://pyscript.net/alpha/pyscript.css and https://pyscript.net/alpha/pyscript.js instead.

That however does not work, as it then crashes trying to get pyscript.py, so we need to get https://pyscript.net/alpha/pyscript.py as well.

Local server

I tried just creating a Hello World HTML and opening it as a local file, but that got into instant CORS error.

It's unfortunately more and more common with anything that uses modern web technologies.

Fortunately Python comes with a builtin HTTP server, so we can run python3 -m http.server 8080 and then open http://localhost:8080/hello.html

Hello, World!

OK, with that out of the way, let's write the simplest possible Python script:

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>Hello World</title>
  <link rel="stylesheet" href="./pyscript.css" />
  <script defer src="./pyscript.js"></script>
</head>
<body>
  <py-script>
    print("Hello World")
  </py-script>
</body>
</html>
Enter fullscreen mode Exit fullscreen mode

If opened from local server, it at least no longer gets any errors in the network tab.

What happens then is that about 10% of time I get "Hello World" printed. And 90% of time there's an error in console like this:

JsException: SyntaxError: Failed to execute 'querySelector' on 'Document': '#-49bea52c-4893-412d-cba1-447d24c65f0a' is not a valid selector.
Enter fullscreen mode Exit fullscreen mode

And only a pink bar in the document. I thought it might be some issues with some Chrome Extensions, so I tried it in an incognito window or in Safari, same thing.

It's very clearly some race condition.

Should you use PyScript?

Obviously not yet.

Coming next

All the code is on GitHub.

I want to come back to PyScript at some point, but in the next episode we'll actually take a look at Opal Ruby, which recently got 1.5 release.

Top comments (5)

Collapse
 
wiseai profile image
Mahmoud Harmouch • Edited

The other day, I was tinkering around that library hunting for security vulns, turns out that the majority of os methods are blocked by default. So, I was attempting the following:

with open("/lib/python3.10/hacky_module.py", "wt") as f:
    f.write("import os;command = "ls -la";print(os.system(command))")

import hacky_module
Enter fullscreen mode Exit fullscreen mode

Which gives the following output:

-1 
Enter fullscreen mode Exit fullscreen mode

Meaning that an error was thrown. However, you can run the following:

import os
print(os.listdir('/'))
Enter fullscreen mode Exit fullscreen mode

which returns:

['tmp', 'home', 'dev', 'proc', 'lib']
Enter fullscreen mode Exit fullscreen mode

Same for the subprocess module:

import subprocess
command = "ls -la"

list_dirs = subprocess.run(["bash", "-c", command],
    stdout=subprocess.PIPE, stderr=subprocess.PIPE,
    check=True,
    text=True)

print(list_dirs.stdout)
Enter fullscreen mode Exit fullscreen mode

Which throws an error when executing it.

So, the framework is pretty secure. Other than the race condition, the only downside is being ridiculously slow. I am not sure whether or not it is a problem tied to the framework or the language itself: python. Most likely the latter. I will be investigating this over the weekend.

Collapse
 
taw profile image
Tomasz Wegrzanowski

It runs in WASM so any vulnerabilities you'd get would be browser vulnerabilities, right?
There's probably some fake emulated "file system", wasm running in the browser has no access to platform files.

Collapse
 
vulcanwm profile image
Medea

Damn…

Collapse
 
taw profile image
Tomasz Wegrzanowski

The problems I ran into are probably going to get fixed over the next few weeks. PyScript is officially "alpha".

Collapse
 
vulcanwm profile image
Medea

Ah that’s okay then