Ensure that angle brackets in pyscript tag are escaped before parsing (#684)

* Ensure that angle brackets in pyscript tag are escaped before parsing

* Improve tests

* Update pyscriptjs/tests/test_01_basic.py

Co-authored-by: James A. Bednar <jbednar@users.noreply.github.com>

Co-authored-by: James A. Bednar <jbednar@users.noreply.github.com>

pyscriptjs/src/utils.ts

@@ -14,8 +14,12 @@ function getLastPath(str: string): string {
     return str.split('\\').pop().split('/').pop();
 }
 
+function escape(str: string): string {
+    return str.replace(/</g, "&lt;").replace(/>/g, "&gt;")
+}
+
 function htmlDecode(input: string): string {
-    const doc = new DOMParser().parseFromString(ltrim(input), 'text/html');
+    const doc = new DOMParser().parseFromString(ltrim(escape(input)), 'text/html');
     return doc.documentElement.textContent;
 }
 

pyscriptjs/tests/test_01_basic.py

@@ -36,3 +36,18 @@ class TestBasic(PyScriptTest):
         """
         )
         assert self.console.info.lines == ["one", "two", "three", "four"]
+
+    def test_escaping_of_angle_brackets(self):
+        """
+        Check that py-script tags escape angle brackets
+        """
+        # NOTE: this test relies on the fact that pyscript does not write
+        # anything to console.info. If we start writing to info in the future,
+        # we will probably need to tweak this test.
+        self.pyscript_run(
+            """
+            <py-script>import js; js.console.info(1<2, 1>2)</py-script>
+            <py-script>js.console.info("<div></div>")</py-script>
+        """
+        )
+        assert self.console.info.lines == ["true false", "<div></div>"]