[Edu-sig] Simplest webapps

Andrew Harrington aharrin at luc.edu
Mon Apr 2 16:20:34 EDT 2018 

Bottle sound like it makes things very simple.
I also have a chapter introducing server-side Python interaction in very
simple cases.
http://anh.cs.luc.edu/python/hands-on/3.1/handsonHtml/ch4.html
It does come well after function introduction.

Dr. Andrew N. Harrington
  Computer Science Department
  Graduate Program Director gpd at cs.luc.edu
  Loyola University Chicago
  207 Doyle Center, 1052 W Loyola Ave.
http://www.cs.luc.edu/~anh
Phone: 773-508-3569
Dept. Fax:    773-508-3739
aharrin at luc.edu (as professor, not gpd role)

On Sat, Mar 31, 2018 at 8:20 PM, Wes Turner <wes.turner at gmail.com> wrote:

> Web programming is fun but dangerous.
> Things as simple as 'it reads a file off the disk and sends it to the
> user' can unintentionally expose every readable file to whoever or whatever
> can access localhost.
>
> ```python
> os.path.join('here', '/etc/shadow')
> path = 'here/' + '../../../../etc/shadow'
> ```
>
> All of the examples in this thread are susceptible to XSS (Cross Site
> Scripting) and CSRF (Cross-site Request Forgery). Don't feel bad; many
> college web programming courses teach dangerous methods, too.
>
> XSS:
> ```
> x = """</body><script>alert('download_mining_script()')</script>"""
> return f'<html><body>{x}'
> """
>
> Bottle has multiple templating engines which escape user-supplied input
> (in order to maintain a separation between data and code).
>
> Like XSS, SQLi is also a 'code injection' issue. pypi:Records can use
> SQLAlchemy. Django is a great framework with a built-in ORM that also
> escapes SQL queries.
>
> CSRF:
> - X posts an XSS to site A that POSTs to site B
> - 100 users view site A
> - [...]
>
> http://bottle-utils.readthedocs.io/en/latest/csrf.html
>
> https://bottlepy.org/docs/dev/tutorial.html#html-form-handling
>
> OWASP has a lot of information on WebSec:
>
> OWASP Top 10
> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
>
> The OWASP Vulnerable Web Applications Directory Project (VWAD)
> https://github.com/OWASP/OWASP-VWAD
>
> Any program or user on the system can read and write to localhost.
>
>
> On Saturday, March 31, 2018, Wes Turner <wes.turner at gmail.com> wrote:
>
>> Bottle is a single file web microframework.
>>
>> https://github.com/bottlepy/bottle
>> https://github.com/bottlepy/bottle/blob/master/bottle.py
>>
>> > Example: "Hello World" in a bottle
>>
>> ```python
>> from bottle import route, run, template
>>
>> @route('/hello/<name>')
>> def index(name):
>>     return template('<b>Hello {{name}}</b>!',
>>         name=name)
>>
>> run(host='localhost', port=8080)
>> ```
>>
>> There are docs and every function is Ctrl-F'able within bottle.py.
>>
>> On Friday, March 30, 2018, kirby urner <kirby.urner at gmail.com> wrote:
>>
>>>
>>> Very interesting.  I note that free users are relegated to Python 2.7
>>>
>>> Server modules can be Python 3.6 (outside the free version)
>>>
>>> Client stuff compiles to JavaScript and is approximately 2.7
>>>
>>> That's a bit confusing maybe.  I try to avoid 2.7 but that's not easy.
>>>
>>> In my Coding with Kids work, we use Codesters.com to teach Python, which
>>> depends on Skulpt.  Also 2.x ish.
>>>
>>> Kirby
>>>
>>>
>>>
>>> On Fri, Mar 30, 2018 at 11:49 AM, Jason Blum <jason.blum at gmail.com>
>>> wrote:
>>>
>>>> http://anvil.works/ is a pretty interesting approach to Python web
>>>> applications.
>>>>
>>>> On Fri, Mar 30, 2018 at 2:05 PM, kirby urner <kirby.urner at gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Hi Aivar --
>>>>>
>>>>> I think it's a fine idea to write simple Python scripts that write
>>>>> HTML files, which you may then pull up in the browser.
>>>>>
>>>>> There's no need to put a server behind static web pages.  So, for
>>>>> example, I'll have my students write a page of bookmarks:
>>>>>
>>>>> # -*- coding: utf-8 -*-
>>>>> """
>>>>> Created on Wed Nov  4 18:02:30 2015
>>>>>
>>>>> @author: Kirby Urner
>>>>> """
>>>>>
>>>>> # tuple of tuples
>>>>> bookmarks = (
>>>>>     ("Anaconda.org", "http://anaconda.org"),
>>>>>     ("Python.org", "http://python.org"),
>>>>>     ("Python Docs", "https://docs.python.org/3/"),
>>>>>     ("Spaghetti Code", "http://c2.com/cgi/wiki?SpaghettiCode"),
>>>>>     ("Structured Programming", "http://c2.com/cgi/wiki?Struct
>>>>> uredProgramming"),
>>>>>     ("Map of Languages", "http://archive.oreilly.com/pu
>>>>> b/a/oreilly//news/languageposter_0504.html"),
>>>>>     ("XKCD", "http://xkcd.com"),
>>>>>     )
>>>>>
>>>>> page = '''\
>>>>> <!DOCTYPE HTML>
>>>>> {}
>>>>> '''
>>>>>
>>>>> html = """\
>>>>> <HTML>
>>>>> <HEAD>
>>>>> <TITLE>Bookmarks for Python</TITLE>
>>>>> </HEAD>
>>>>> <BODY>
>>>>> <H3>Bookmarks</H3>
>>>>> <BR />
>>>>> <UL>
>>>>> {}
>>>>> </UL>
>>>>> </BODY>
>>>>> </HTML>
>>>>> """.lower()
>>>>>
>>>>> the_body = ""
>>>>> for place, url in bookmarks:
>>>>>     the_body += "<li><a href='{}'>{}</a></li>\n".format(url, place)
>>>>>
>>>>> webpage = open("links.html", "w")
>>>>> print(page.format(html.format(the_body)), file=webpage)
>>>>> webpage.close()
>>>>>
>>>>> All you need add to your example is using print() to save to a file,
>>>>> so the browser has something to open.
>>>>>
>>>>> I would not call this a "web app" yet it's instructive in showing how
>>>>> Python can write HTML files.
>>>>>
>>>>> Kirby
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Mar 28, 2018 at 12:18 AM, Aivar Annamaa <aivar.annamaa at ut.ee>
>>>>> wrote:
>>>>>
>>>>>> Hi!
>>>>>> Let's say my students are able to write programs like this:
>>>>>>
>>>>>> name = input("name")
>>>>>>
>>>>>> if name == "Pete":
>>>>>>     greeting = "Hi"
>>>>>> else:
>>>>>>     greeting = "Hello!"
>>>>>>
>>>>>> print(f"""
>>>>>> <html>
>>>>>> <body>
>>>>>> {greeting} {name}!
>>>>>> </body>
>>>>>> </html>
>>>>>> """)
>>>>>>
>>>>>> I'd like to allow them start writing web-apps without introducing
>>>>>> functions first (most web-frameworks require functions).
>>>>>>
>>>>>> It occurred to me that it's not hard to create a wrapper, which
>>>>>> presents this code as a web-app (input would be patched to look up
>>>>>> GET or POST parameters with given name).
>>>>>>
>>>>>> This approach would allow simple debugging of the code on local
>>>>>> machine and no extra libraries are required in this phase.
>>>>>>
>>>>>> Any opinions on this? Has this been tried before?
>>>>>>
>>>>>> best regards,
>>>>>> Aivar
>>>>>>
>>>>>> _______________________________________________
>>>>>> Edu-sig mailing list
>>>>>> Edu-sig at python.org
>>>>>> https://mail.python.org/mailman/listinfo/edu-sig
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Edu-sig mailing list
>>>>> Edu-sig at python.org
>>>>> https://mail.python.org/mailman/listinfo/edu-sig
>>>>>
>>>>>
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/edu-sig/attachments/20180402/6ba5bd46/attachment.html>

More information about the Edu-sig mailing list