TODO project is vulnerable to XSS/HTML injection attacks

[dmdhrumilmistry]

Checklist

• I added a descriptive title
• I searched for other issues and couldn't find a solution or duplication
• I already searched in Google and didn't find any good information or help

What happened?

TODO example project is vulnerable to XSS/HTML injection attacks.

Payload Used:

<button onclick='javascript:confirm("vulnerable");document.location.href="https://dmdhrumilmistry.github.io"'>click me</button>

Result:

Issue: Since most of the devs will be learning pyscript referring the examples, they'll be making applications which will be vulnerable to XSS/HTML injection. We would appreciate if pyscript team can also use secure coding techniques while creating examples; this will help devs to build secure applications.

What browsers are you seeing the problem on? (if applicable)

No response

Console info

No response

Additional Context

creating a cheatsheet might help devs to avoid such common issues in their applications

[WebReflection]

@dmdhrumilmistry I'm afraid I am not sure I am following ... that's just how any Web page works?

<!doctype html>
<button onclick='javascript:confirm("vulnerable");document.location.href="https://dmdhrumilmistry.github.io"'>click me</button>

you are not using a py-click handler, you are showing any valid HTML, so what has this project in particular to do with your example? 🤔

[WebReflection]

@dmdhrumilmistry wait a minute ... are you saying that if you add HTML as TODO item content that gets injected as HTML? Not sure that's just intentional / by-design for demo sake, but if that's the case we might avoid tasks as HTML, yes 👍

[WebReflection]

@dmdhrumilmistry I've just tested locally and also checked the file part where we use innerText, not innerHTML to add the task ... this is what I see so we might need a step-by-step way to reproduce your issue or maybe it was fixed already (a month ago) and it's not live yet.

/cc @antocuni @fpliger

edit This is odd ... last change is from a year ago or something around that code 707474e

[dmdhrumilmistry]

using innerText would fix the issue! ohh okay. cool. When will it be deployed?

[WebReflection]

@dmdhrumilmistry I am not sure when it's planned, but maybe @antocuni or @FabioRosado or @fpliger would know. They are at PyCon right so there might be some unintentional delay in answering this, the good thing is that current project doesn't break our expectations so please be patient, thank you!

[FabioRosado]

I may be wrong since I've been focused on the pyscript.com side of things but I'm assuming that the next release will happen when the work for workers is a bit more stable 🤔

[dmdhrumilmistry]

okay cool!

[fpliger]

Sorry I missed the thread.

Yes, next release should be happening within a month timeframe (the big task holding the release is indeed workers, as @FabioRosado mentioned).

@WebReflection @dmdhrumilmistry am I reading correctly that, given the comments above around innerText, we can close this issue?

[WebReflection]

@fpliger the label waiting for release is there to signal this is not a bug (anymore) and will be closed once we release. If we close it before that there's no signal the bug is gone because there's no opened issue so we should just ignore these labelled issues and close them once we release.

[dmdhrumilmistry]

Sorry I missed the thread.

Yes, next release should be happening within a month timeframe (the big task holding the release is indeed workers, as @FabioRosado mentioned).

@WebReflection @dmdhrumilmistry am I reading correctly that, given the comments above around innerText, we can close this issue?

@fpliger, I'll prefer to close this once after releasing the fix. Else team might miss the issue.

[fpliger]

@dmdhrumilmistry 👍

@WebReflection Ok. This is different than the process we were adopting earlier (I probably missed the changes). I guess the rationale here is reflecting the state of the latest released version vs the state of main. We are due to sit down and put down a project/contribution workflow and guidelines anyway, so let's make sure we talk through this when we have that conversation