DEV Community

Tomasz Wegrzanowski
Tomasz Wegrzanowski

Posted on

5 4

Open Source Adventures: Episode 58: PyScript: First Impressions

An alpha version of PyScript just came out, with tagline "Run Python in Your HTML". Let's check it out.

Documentation is mostly all wrong, so there's a lot of steps to get it even running.

Download

The download instructions are:

  • Download PyScript now
  • Unzip the downloaded file
  • Copy the assets you want to use and add the following lines to your html file

There's just one problem, there are no asset files in that zip.

So instead we need to manually download https://pyscript.net/alpha/pyscript.css and https://pyscript.net/alpha/pyscript.js instead.

That however does not work, as it then crashes trying to get pyscript.py, so we need to get https://pyscript.net/alpha/pyscript.py as well.

Local server

I tried just creating a Hello World HTML and opening it as a local file, but that got into instant CORS error.

It's unfortunately more and more common with anything that uses modern web technologies.

Fortunately Python comes with a builtin HTTP server, so we can run python3 -m http.server 8080 and then open http://localhost:8080/hello.html

Hello, World!

OK, with that out of the way, let's write the simplest possible Python script:

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>Hello World</title>
  <link rel="stylesheet" href="./pyscript.css" />
  <script defer src="./pyscript.js"></script>
</head>
<body>
  <py-script>
    print("Hello World")
  </py-script>
</body>
</html>
Enter fullscreen mode Exit fullscreen mode

If opened from local server, it at least no longer gets any errors in the network tab.

What happens then is that about 10% of time I get "Hello World" printed. And 90% of time there's an error in console like this:

JsException: SyntaxError: Failed to execute 'querySelector' on 'Document': '#-49bea52c-4893-412d-cba1-447d24c65f0a' is not a valid selector.
Enter fullscreen mode Exit fullscreen mode

And only a pink bar in the document. I thought it might be some issues with some Chrome Extensions, so I tried it in an incognito window or in Safari, same thing.

It's very clearly some race condition.

Should you use PyScript?

Obviously not yet.

Coming next

All the code is on GitHub.

I want to come back to PyScript at some point, but in the next episode we'll actually take a look at Opal Ruby, which recently got 1.5 release.

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (5)

Collapse
 
wiseai profile image
Mahmoud Harmouch • Edited

The other day, I was tinkering around that library hunting for security vulns, turns out that the majority of os methods are blocked by default. So, I was attempting the following:

with open("/lib/python3.10/hacky_module.py", "wt") as f:
    f.write("import os;command = "ls -la";print(os.system(command))")

import hacky_module
Enter fullscreen mode Exit fullscreen mode

Which gives the following output:

-1 
Enter fullscreen mode Exit fullscreen mode

Meaning that an error was thrown. However, you can run the following:

import os
print(os.listdir('/'))
Enter fullscreen mode Exit fullscreen mode

which returns:

['tmp', 'home', 'dev', 'proc', 'lib']
Enter fullscreen mode Exit fullscreen mode

Same for the subprocess module:

import subprocess
command = "ls -la"

list_dirs = subprocess.run(["bash", "-c", command],
    stdout=subprocess.PIPE, stderr=subprocess.PIPE,
    check=True,
    text=True)

print(list_dirs.stdout)
Enter fullscreen mode Exit fullscreen mode

Which throws an error when executing it.

So, the framework is pretty secure. Other than the race condition, the only downside is being ridiculously slow. I am not sure whether or not it is a problem tied to the framework or the language itself: python. Most likely the latter. I will be investigating this over the weekend.

Collapse
 
taw profile image
Tomasz Wegrzanowski

It runs in WASM so any vulnerabilities you'd get would be browser vulnerabilities, right?
There's probably some fake emulated "file system", wasm running in the browser has no access to platform files.

Collapse
 
vulcanwm profile image
Medea

Damn…

Collapse
 
taw profile image
Tomasz Wegrzanowski

The problems I ran into are probably going to get fixed over the next few weeks. PyScript is officially "alpha".

Collapse
 
vulcanwm profile image
Medea

Ah that’s okay then

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay