Web programming is fun but dangerous.
Things as simple as 'it reads a file off the disk and sends it to the user' can unintentionally expose every readable file to whoever or whatever can access localhost.

```python
os.path.join('here', '/etc/shadow')
path = 'here/' + '../../../../etc/shadow'
```

All of the examples in this thread are susceptible to XSS (Cross Site Scripting) and CSRF (Cross-site Request Forgery). Don't feel bad; many college web programming courses teach dangerous methods, too.

XSS:
```
x = """</body><script>alert('download_mining_script()')</script>"""
return f'<html><body>{x}'
"""

Bottle has multiple templating engines which escape user-supplied input (in order to maintain a separation between data and code).

Like XSS, SQLi is also a 'code injection' issue. pypi:Records can use SQLAlchemy. Django is a great framework with a built-in ORM that also escapes SQL queries.

CSRF:
- X posts an XSS to site A that POSTs to site B
- 100 users view site A
- [...]

http://bottle-utils.readthedocs.io/en/latest/csrf.html

https://bottlepy.org/docs/dev/tutorial.html#html-form-handling

OWASP has a lot of information on WebSec:

OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

The OWASP Vulnerable Web Applications Directory Project (VWAD)
https://github.com/OWASP/OWASP-VWAD

Any program or user on the system can read and write to localhost.


On Saturday, March 31, 2018, Wes Turner <wes.turner@gmail.com> wrote:
Bottle is a single file web microframework.

https://github.com/bottlepy/bottle
https://github.com/bottlepy/bottle/blob/master/bottle.py

> Example: "Hello World" in a bottle

```python
from bottle import route, run, template 

@route('/hello/<name>')
def index(name):
    return template('<b>Hello {{name}}</b>!',
        name=name)

run(host='localhost', port=8080)
```

There are docs and every function is Ctrl-F'able within bottle.py.

On Friday, March 30, 2018, kirby urner <kirby.urner@gmail.com> wrote:

Very interesting.  I note that free users are relegated to Python 2.7

Server modules can be Python 3.6 (outside the free version)

Client stuff compiles to JavaScript and is approximately 2.7

That's a bit confusing maybe.  I try to avoid 2.7 but that's not easy.

In my Coding with Kids work, we use Codesters.com to teach Python, which depends on Skulpt.  Also 2.x ish.

Kirby



On Fri, Mar 30, 2018 at 11:49 AM, Jason Blum <jason.blum@gmail.com> wrote:
http://anvil.works/ is a pretty interesting approach to Python web applications.

On Fri, Mar 30, 2018 at 2:05 PM, kirby urner <kirby.urner@gmail.com> wrote:

Hi Aivar --

I think it's a fine idea to write simple Python scripts that write HTML files, which you may then pull up in the browser.

There's no need to put a server behind static web pages.  So, for example, I'll have my students write a page of bookmarks:

# -*- coding: utf-8 -*-
"""
Created on Wed Nov  4 18:02:30 2015

@author: Kirby Urner
"""

# tuple of tuples
bookmarks = (
    ("Anaconda.org", "http://anaconda.org"),
    ("Python.org", "http://python.org"),
    ("Python Docs", "https://docs.python.org/3/"),
    ("Spaghetti Code", "http://c2.com/cgi/wiki?SpaghettiCode"),
    ("Structured Programming", "http://c2.com/cgi/wiki?StructuredProgramming"),
    ("Map of Languages", "http://archive.oreilly.com/pub/a/oreilly//news/languageposter_0504.html"),
    ("XKCD", "http://xkcd.com"),
    )

page = '''\
<!DOCTYPE HTML>
{}
'''

html = """\
<HTML>
<HEAD>
<TITLE>Bookmarks for Python</TITLE>
</HEAD>
<BODY>
<H3>Bookmarks</H3>
<BR />
<UL>
{}
</UL>
</BODY>
</HTML>
""".lower()

the_body = ""
for place, url in bookmarks:
    the_body += "<li><a href='{}'>{}</a></li>\n".format(url, place)

webpage = open("links.html", "w")
print(page.format(html.format(the_body)), file=webpage)
webpage.close()

All you need add to your example is using print() to save to a file, so the browser has something to open.

I would not call this a "web app" yet it's instructive in showing how Python can write HTML files.

Kirby



On Wed, Mar 28, 2018 at 12:18 AM, Aivar Annamaa <aivar.annamaa@ut.ee> wrote:

Hi!

Let's say my students are able to write programs like this:
name = input("name")

if name == "Pete":
    greeting = "Hi"
else:
    greeting = "Hello!"

print(f"""
<html>
<body>
{greeting} {name}!
</body>
</html>
""")

I'd like to allow them start writing web-apps without introducing functions first (most web-frameworks require functions).

It occurred to me that it's not hard to create a wrapper, which presents this code as a web-app (input would be patched to look up GET or POST parameters with given name).

This approach would allow simple debugging of the code on local machine and no extra libraries are required in this phase.

Any opinions on this? Has this been tried before?

best regards,
Aivar


_______________________________________________
Edu-sig mailing list
Edu-sig@python.org
https://mail.python.org/mailman/listinfo/edu-sig



_______________________________________________
Edu-sig mailing list
Edu-sig@python.org
https://mail.python.org/mailman/listinfo/edu-sig