Add warning for `html.script`

[Archmonger]

Current Situation

Currently, there is no documented warnings for the potential of XSS attacks when using html.script

Proposed Actions

We should add a disclaimer to warn users not to use raw user inputs (from any untrusted data source) within the script contents to avoid XSS attacks.

[ZEUS-03]

Can you assign me the task? Will be a good starting point.

[Archmonger]

We don't utilize the issue assignment feature on GitHub. The first person to open a draft PR gets priority to resolve it.

[ZEUS-03]

ok thanks! will do that.

[rmorshea]

@Archmonger, was your intention for this to be in the docstring.

[Archmonger]

Yeah, since the docstring gets turned into auto-docs.

[ZEUS-03]

hey! can you please tell me where do i have to put or write the documention i mean in which file?

[rmorshea]

https://github.com/reactive-python/reactpy/blob/main/src/reactpy/html.py

[rmorshea]

@Archmonger, can we create a follow-up ticket for a tool that would sanitize inputs to scripts? I think we can do more to help mitigate this risk for users.

[Archmonger]

You think this could be added to our flake8 plugin?