<div dir="ltr">Bottle sound like it makes things very simple.<div>I also have a chapter introducing server-side Python interaction in very simple cases.</div><div><a href="http://anh.cs.luc.edu/python/hands-on/3.1/handsonHtml/ch4.html">http://anh.cs.luc.edu/python/hands-on/3.1/handsonHtml/ch4.html</a><br></div><div>It does come well after function introduction.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">Dr. Andrew N. Harrington<br> Computer Science Department <div> Graduate Program Director <a href="mailto:gpd@cs.luc.edu" target="_blank">gpd@cs.luc.edu</a><br><div> Loyola University Chicago<br></div><div> 207 Doyle Center, 1052 W Loyola Ave. <br><a href="http://www.cs.luc.edu/~anh" target="_blank">http://www.cs.luc.edu/~anh</a><br>Phone: 773-508-3569<br>Dept. Fax: <span style="font-size:12.8px">773-508-</span><span style="font-size:12.8px">3739</span></div><div><a href="mailto:aharrin@luc.edu" target="_blank">aharrin@luc.edu</a> (as professor, not gpd role)</div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Sat, Mar 31, 2018 at 8:20 PM, Wes Turner <span dir="ltr"><<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div>Web programming is fun but dangerous.</div>
<div>Things as simple as 'it reads a file off the disk and sends it to the user' can unintentionally expose every readable file to whoever or whatever can access localhost.</div>
<div><br>
</div>
<div>```python</div>
<div>os.path.join('here', '/etc/shadow')</div>
<div>path = 'here/' + '../../../../etc/shadow'</div>
<div>```</div>
<div><br>
</div>
<div>All of the examples in this thread are susceptible to XSS (Cross Site Scripting) and CSRF (Cross-site Request Forgery). Don't feel bad; many college web programming courses teach dangerous methods, too.</div>
<div><br>
</div>
<div>XSS:</div>
<div>```</div>
<div>x = """</body><script>alert('<wbr>download_mining_script()')</<wbr>script>"""</div>
<div>return f'<html><body>{x}'</div>
<div>"""</div>
<div><br>
</div>
<div>Bottle has multiple templating engines which escape user-supplied input (in order to maintain a separation between data and code).</div>
<div><br>
</div>
<div>Like XSS, SQLi is also a 'code injection' issue. pypi:Records can use SQLAlchemy. Django is a great framework with a built-in ORM that also escapes SQL queries.</div>
<div><br>
</div>
<div>CSRF:</div>
<div>- X posts an XSS to site A that POSTs to site B</div>
<div>- 100 users view site A</div>
<div>- [...]</div>
<div><br>
</div>
<div><a href="http://bottle-utils.readthedocs.io/en/latest/csrf.html" target="_blank">http://bottle-utils.<wbr>readthedocs.io/en/latest/csrf.<wbr>html</a></div>
<div><br>
</div>
<div><a href="https://bottlepy.org/docs/dev/tutorial.html#html-form-handling" target="_blank">https://bottlepy.org/docs/dev/<wbr>tutorial.html#html-form-<wbr>handling</a></div>
<div><br>
</div>
<div>OWASP has a lot of information on WebSec:</div>
<div><br>
</div>
<div>OWASP Top 10</div>
<div><a href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project" target="_blank">https://www.owasp.org/index.<wbr>php/Category:OWASP_Top_Ten_<wbr>Project</a></div>
<div><br>
</div>
<div>The OWASP Vulnerable Web Applications Directory Project (VWAD)<br>
</div>
<div><a href="https://github.com/OWASP/OWASP-VWAD" target="_blank">https://github.com/OWASP/<wbr>OWASP-VWAD</a></div>
<div><br>
</div>
<div>Any program or user on the system can read and write to localhost.</div>
</div><div><div class="h5">
<div><br>
</div>
<br>
On Saturday, March 31, 2018, Wes Turner <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Bottle is a single file web microframework.</div>
<div><br>
</div>
<div><a href="https://github.com/bottlepy/bottle" target="_blank">https://github.com/bottlepy/bo<wbr>ttle</a></div>
<div><a href="https://github.com/bottlepy/bottle/blob/master/bottle.py" target="_blank">https://github.com/bottlepy/bo<wbr>ttle/blob/master/bottle.py</a></div>
<div><br>
</div>
<div>> Example: "Hello World" in a bottle</div>
<div><br>
</div>
<div>```python</div>
<div>from bottle import route, run, template </div>
<div><br>
</div>
<div>@route('/hello/<name>')</div>
<div>def index(name):</div>
<div> return template('<b>Hello {{name}}</b>!',</div>
<div> name=name)</div>
<div><br>
</div>
<div>run(host='localhost', port=8080)</div>
<div>```</div>
<div><br>
</div>
<div>There are docs and every function is Ctrl-F'able within bottle.py.</div>
<br>
On Friday, March 30, 2018, kirby urner <<a href="mailto:kirby.urner@gmail.com" target="_blank">kirby.urner@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
Very interesting. I note that free users are relegated to Python 2.7<br>
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
Server modules can be Python 3.6 (outside the free version)<br>
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
Client stuff compiles to JavaScript and is approximately 2.7<br>
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
That's a bit confusing maybe. I try to avoid 2.7 but that's not easy.<br>
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
In my Coding with Kids work, we use Codesters.com to teach Python, which depends on Skulpt. Also 2.x ish.<br>
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
Kirby<br>
<br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Mar 30, 2018 at 11:49 AM, Jason Blum <span dir="ltr">
<<a href="mailto:jason.blum@gmail.com" target="_blank">jason.blum@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">
<a href="http://anvil.works/" target="_blank">http://anvil.works/</a> is a pretty interesting approach to Python web applications.<br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Mar 30, 2018 at 2:05 PM, kirby urner <span dir="ltr">
<<a href="mailto:kirby.urner@gmail.com" target="_blank">kirby.urner@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
Hi Aivar --<br>
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
I think it's a fine idea to write simple Python scripts that write HTML files, which you may then pull up in the browser.<br>
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
There's no need to put a server behind static web pages. So, for example, I'll have my students write a page of bookmarks:<br>
<br>
# -*- coding: utf-8 -*-<br>
"""<br>
Created on Wed Nov 4 18:02:30 2015<br>
<br>
@author: Kirby Urner<br>
"""<br>
<br>
# tuple of tuples<br>
bookmarks = (<br>
("Anaconda.org", "<a href="http://anaconda.org" target="_blank">http://anaconda.org</a>"),<br>
("Python.org", "<a href="http://python.org" target="_blank">http://python.org</a>"),<br>
("Python Docs", "<a href="https://docs.python.org/3/" target="_blank">https://docs.python.org/3/</a>"),<br>
("Spaghetti Code", "<a href="http://c2.com/cgi/wiki?SpaghettiCode" target="_blank">http://c2.com/cgi/wiki?Spaghe<wbr>ttiCode</a>"),<br>
("Structured Programming", "<a href="http://c2.com/cgi/wiki?StructuredProgramming" target="_blank">http://c2.com/cgi/wiki?Struct<wbr>uredProgramming</a>"),<br>
("Map of Languages", "<a href="http://archive.oreilly.com/pub/a/oreilly//news/languageposter_0504.html" target="_blank">http://archive.oreilly.com/pu<wbr>b/a/oreilly//news/languagepost<wbr>er_0504.html</a>"),<br>
("XKCD", "<a href="http://xkcd.com" target="_blank">http://xkcd.com</a>"),<br>
)<br>
<br>
page = '''\<br>
<!DOCTYPE HTML><br>
{}<br>
'''<br>
<br>
html = """\<br>
<HTML><br>
<HEAD><br>
<TITLE>Bookmarks for Python</TITLE><br>
</HEAD><br>
<BODY><br>
<H3>Bookmarks</H3><br>
<BR /><br>
<UL><br>
{}<br>
</UL><br>
</BODY><br>
</HTML><br>
""".lower()<br>
<br>
the_body = ""<br>
for place, url in bookmarks:<br>
the_body += "<li><a href='{}'>{}</a></li>\n".forma<wbr>t(url, place)<br>
<br>
webpage = open("links.html", "w")<br>
print(page.format(html.format(<wbr>the_body)), file=webpage)<br>
webpage.close()<br>
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
All you need add to your example is using print() to save to a file, so the browser has something to open.<br>
<br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
I would not call this a "web app" yet it's instructive in showing how Python can write HTML files.<span><font color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:large">
Kirby<br>
<br>
<br>
</div>
</font></span></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div>On Wed, Mar 28, 2018 at 12:18 AM, Aivar Annamaa <span dir="ltr"><<a href="mailto:aivar.annamaa@ut.ee" target="_blank">aivar.annamaa@ut.ee</a>></span> wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi!</p>
Let's say my students are able to write programs like this:
<blockquote><tt>name = input("name")<br>
<br>
if name == "Pete":<br>
greeting = "Hi"<br>
else:<br>
greeting = "Hello!"<br>
<br>
print(f"""<br>
<html><br>
<body><br>
{greeting} {name}!<br>
</body><br>
</html><br>
""")</tt></blockquote>
<p>I'd like to allow them start writing web-apps without introducing functions first (most web-frameworks require functions).</p>
<p>It occurred to me that it's not hard to create a wrapper, which presents this code as a web-app (<tt>input</tt> would be patched to look up GET or POST parameters with given name).</p>
<p>This approach would allow simple debugging of the code on local machine and no extra libraries are required in this phase.<br>
</p>
<p>Any opinions on this? Has this been tried before? <br>
</p>
<p>best regards,<br>
Aivar<br>
</p>
</div>
<br>
</div>
</div>
<span>______________________________<wbr>_________________<br>
Edu-sig mailing list<br>
<a href="mailto:Edu-sig@python.org" target="_blank">Edu-sig@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/edu-sig" rel="noreferrer" target="_blank">https://mail.python.org/mailma<wbr>n/listinfo/edu-sig</a><br>
<br>
</span></blockquote>
</div>
<br>
</div>
<br>
______________________________<wbr>_________________<br>
Edu-sig mailing list<br>
<a href="mailto:Edu-sig@python.org" target="_blank">Edu-sig@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/edu-sig" rel="noreferrer" target="_blank">https://mail.python.org/mailma<wbr>n/listinfo/edu-sig</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</blockquote>
</div></div></div>
</blockquote></div><br></div>