search

brython-dev / brython

Brython (Browser Python) is an implementation of Python 3 running in the browser
BSD 3-Clause "New" or "Revised" License
6.4k stars 512 forks source link

brython no longer support scripts included via the srcdoc attribute of an iframe #2500

Closed djoume closed 1 month ago

djoume commented 1 month ago

Hello, I'm developing a mobile app to learn code (https://fata.school/app) and I'm using brython for some of the python exercises.

In order to isolate student written code from the rest of the app I'm running brython and the user code within an iframe, the student code being loaded via the srcdoc attribute of the iframe. This was working fine up until brython 3.11 but when I upgrade to 3.13 I'm getting the exception: Error: not a url: about:srcdoc#userCode.

I tracked down the issue to this commit that removes the protocol/host from url using a regexp, but doesn't handle the about: scheme.

I have a proposed fix in a branch and will open a PR shortly.

denis-migdal commented 1 month ago

If you don't need DOM access, you'd better execute your code in a WebWorker ?

Otherwise I'd strongly advise against using the srcdoc HTML attribute, instead:

// https://stackoverflow.com/questions/8240101/set-content-of-iframe
iframe.src = "about:blank";
iframe.contentWindow!.document.open();
iframe.contentWindow!.document.write( YOUR_CODE );
iframe.contentWindow!.document.close();

But indeed using URL in Brython instead of a Regex would be more secure.

djoume commented 1 month ago

Agreed that when the DOM is not used WebWorker are a better option.