Add warning for html.script

[Archmonger]

Current Situation

Currently, there is no documented warnings for the potential of XSS attacks when using html.script

Proposed Actions

We should add a disclaimer to warn users not to use raw user inputs (from any untrusted data source) within the script contents to avoid XSS attacks.

[ZEUS-03]

Can you assign me the task? Will be a good starting point.

[Archmonger]

We don't utilize the issue assignment feature on GitHub. The first person to open a draft PR gets priority to resolve it.

[ZEUS-03]

ok thanks! will do that.

[rmorshea]

@Archmonger, was your intention for this to be in the docstring.

[Archmonger]

Yeah, since the docstring gets turned into auto-docs.

[ZEUS-03]

hey! can you please tell me where do i have to put or write the documention i mean in which file?

[rmorshea]

https://github.com/reactive-python/reactpy/blob/main/src/reactpy/html.py

[rmorshea]

@Archmonger, can we create a follow-up ticket for a tool that would sanitize inputs to scripts? I think we can do more to help mitigate this risk for users.

[Archmonger]

You think this could be added to our flake8 plugin?

[rmorshea]

It's possible, but if that's all we supplied users might improperly sanitize inputs. Better to provide a standardized solution.

[Archmonger]

That might be a bit over engineered for a tag that we shouldn't incentivize using.

In my opinion, due to script tags being inherently dangerous we should treat them similar to React dangerouslySetInnerHtml.

It's best to get the idea into user's heads that "you can use this but it's risky so you probably shouldn't."

[rmorshea]

I like that idea. We could require the script to be passed as a kwarg with a scary name like insecurely_eval or something.