DEV Community

Artur Balsam
Artur Balsam

Posted on

PyScript XSS

#xss #security #python #pyscript

Run XSS in Your browser

With additional steps

Intro

Last month Anaconda, release the PyScript https://github.com/pyscript/pyscript. Simplifying: The Python in browser, with HTML and JavaScript. Javascript and python, in the browser,. What can possibly can go wrong.

DISCLAIMER: It's fun post, pyscript is great idea, but as everything, security should be some concern.

PyScript XSS

Let's check how it works:
index.html

<!DOCTYPE html> <html> <head> <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" /> <script defer src="https://pyscript.net/alpha/pyscript.js"></script> </head> <body> <py-script src="/test.py"></py-script> </body> </html>
Enter fullscreen mode Exit fullscreen mode

test.py

print('as<img src=x onerror=alert(1)>df')
Enter fullscreen mode Exit fullscreen mode

and here we are, with XSS:

Image description

Outro

Make no mistake, The PyScript, is brilliant product! Just don't forget about security.

Top comments (0)