From 3bebe74a6efd1bea2fa7e182d08de87605c70c7e Mon Sep 17 00:00:00 2001
From: Gautam Sharma <gautam332000lavanya@gmail.com>
Date: Tue, 18 Apr 2023 20:41:22 +0530
Subject: [PATCH 1/5] added warning for html.script

---
 src/reactpy/html.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/reactpy/html.py b/src/reactpy/html.py
index fa4953cda..d2c44e66a 100644
--- a/src/reactpy/html.py
+++ b/src/reactpy/html.py
@@ -1,4 +1,7 @@
 """
+
+**Disclaimer** : Do not use raw user inputs from untrusted data sources in scripts. Doing so can lead to security vulnerabilities such as cross-site scripting (XSS) attacks.
+
 **Fragment**
 
 - :func:`_`

From 926e96134fad343546dd9a1fe6d3b44660c1aaea Mon Sep 17 00:00:00 2001
From: Gautam Sharma <gautam332000lavanya@gmail.com>
Date: Tue, 18 Apr 2023 23:33:00 +0530
Subject: [PATCH 2/5] updated Disclaimer to warning

---
 src/reactpy/html.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/reactpy/html.py b/src/reactpy/html.py
index d2c44e66a..6b70b270d 100644
--- a/src/reactpy/html.py
+++ b/src/reactpy/html.py
@@ -1,6 +1,7 @@
 """
 
-**Disclaimer** : Do not use raw user inputs from untrusted data sources in scripts. Doing so can lead to security vulnerabilities such as cross-site scripting (XSS) attacks.
+.. warning:: Do not use raw user inputs from untrusted data sources in scripts. :newline:
+    Doing so can lead to security vulnerabilities such as cross-site scripting (XSS) attacks.
 
 **Fragment**
 

From 161f31786ce15c6b63459389eef9ac45673e96e5 Mon Sep 17 00:00:00 2001
From: Gautam Sharma <gautam332000lavanya@gmail.com>
Date: Wed, 19 Apr 2023 07:56:32 +0530
Subject: [PATCH 3/5] warning added under scripting section

---
 src/reactpy/html.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/reactpy/html.py b/src/reactpy/html.py
index 6b70b270d..9fc530eb8 100644
--- a/src/reactpy/html.py
+++ b/src/reactpy/html.py
@@ -1,8 +1,5 @@
 """
 
-.. warning:: Do not use raw user inputs from untrusted data sources in scripts. :newline:
-    Doing so can lead to security vulnerabilities such as cross-site scripting (XSS) attacks.
-
 **Fragment**
 
 - :func:`_`
@@ -415,6 +412,9 @@ def _script(
 ) -> VdomDict:
     """Create a new `<{script}> <https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script>`__ element.
 
+    .. warning:: Do not use raw user inputs from untrusted data sources in scripts. :newline:
+    Doing so can lead to security vulnerabilities such as cross-site scripting (XSS) attacks.
+
     This behaves slightly differently than a normal script element in that it may be run
     multiple times if its key changes (depending on specific browser behaviors). If no
     key is given, the key is inferred to be the content of the script or, lastly its

From f4fe834551795231c9a0de1611ef1f217cbbfc23 Mon Sep 17 00:00:00 2001
From: Ryan Morshead <ryan.morshead@gmail.com>
Date: Sat, 22 Apr 2023 22:16:22 -0700
Subject: [PATCH 4/5] improve warning description

---
 src/reactpy/html.py | 44 +++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 41 insertions(+), 3 deletions(-)

diff --git a/src/reactpy/html.py b/src/reactpy/html.py
index 9fc530eb8..55e3dc748 100644
--- a/src/reactpy/html.py
+++ b/src/reactpy/html.py
@@ -410,11 +410,49 @@ def _script(
     key: Key | None,
     event_handlers: EventHandlerDict,
 ) -> VdomDict:
-    """Create a new `<{script}> <https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script>`__ element.
+    """Create a new `<script> <https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script>`__ element.
 
-    .. warning:: Do not use raw user inputs from untrusted data sources in scripts. :newline:
-    Doing so can lead to security vulnerabilities such as cross-site scripting (XSS) attacks.
+    .. warning::
 
+        Do not use unsanitized data from untrusted sources anywhere in your script. Doing
+        so may allow for malicious code injection. Consider this **insecure** code:
+
+        .. code-block::
+
+            my_script = html.script(f"console.log('{user_bio}');")
+
+        A clever attacker could construct ``user_bio`` such that they could escape the
+        string and execute arbitrary code to perform cross-site scripting
+        (`XSS <https://en.wikipedia.org/wiki/Cross-site_scripting>`__`). For example,
+        what if ``user_bio`` were of the form:
+
+        .. code-block:: text
+
+            '); attackerCodeHere(); ('
+
+        This would allow the following Javascript code to be executed client-side:
+
+        .. code-block:: js
+
+            console.log(''); attackerCodeHere(); ('');
+
+        One way to avoid this could be to escape ``user_bio`` so as to prevent the
+        injection of Javascript code. For example:
+
+        .. code-block:: python
+
+            import json
+            my_script = html.script(f"console.log({json.dumps(user_bio)});")
+
+        This would prevent the injection of Javascript code by escaping the ``user_bio``
+        string. In this case, the following client-side code would be executed instead:
+
+        .. code-block:: js
+
+            console.log("'); attackerCodeHere(); ('");
+
+        This is a very simple example, but it illustrates the point that you should
+        always be careful when using unsanitized data from untrusted sources.
     This behaves slightly differently than a normal script element in that it may be run
     multiple times if its key changes (depending on specific browser behaviors). If no
     key is given, the key is inferred to be the content of the script or, lastly its

From deac58f8296075a139440bd76ac47e55024220a7 Mon Sep 17 00:00:00 2001
From: rmorshea <ryan.morshead@gmail.com>
Date: Sat, 22 Apr 2023 23:47:03 -0700
Subject: [PATCH 5/5] improve warning placement

---
 src/reactpy/html.py | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/src/reactpy/html.py b/src/reactpy/html.py
index 55e3dc748..5c1d8b6ad 100644
--- a/src/reactpy/html.py
+++ b/src/reactpy/html.py
@@ -414,8 +414,24 @@ def _script(
 
     .. warning::
 
-        Do not use unsanitized data from untrusted sources anywhere in your script. Doing
-        so may allow for malicious code injection. Consider this **insecure** code:
+        Be careful to sanitize data from untrusted sources before using it in a script.
+        See the "Notes" for more details
+
+    This behaves slightly differently than a normal script element in that it may be run
+    multiple times if its key changes (depending on specific browser behaviors). If no
+    key is given, the key is inferred to be the content of the script or, lastly its
+    'src' attribute if that is given.
+
+    If no attributes are given, the content of the script may evaluate to a function.
+    This function will be called when the script is initially created or when the
+    content of the script changes. The function may itself optionally return a teardown
+    function that is called when the script element is removed from the tree, or when
+    the script content changes.
+
+    Notes:
+        Do not use unsanitized data from untrusted sources anywhere in your script.
+        Doing so may allow for malicious code injection. Consider this **insecure**
+        code:
 
         .. code-block::
 
@@ -453,16 +469,6 @@ def _script(
 
         This is a very simple example, but it illustrates the point that you should
         always be careful when using unsanitized data from untrusted sources.
-    This behaves slightly differently than a normal script element in that it may be run
-    multiple times if its key changes (depending on specific browser behaviors). If no
-    key is given, the key is inferred to be the content of the script or, lastly its
-    'src' attribute if that is given.
-
-    If no attributes are given, the content of the script may evaluate to a function.
-    This function will be called when the script is initially created or when the
-    content of the script changes. The function may itself optionally return a teardown
-    function that is called when the script element is removed from the tree, or when
-    the script content changes.
     """
     model: VdomDict = {"tagName": "script"}