Bottle sound like it makes things very simple. I also have a chapter introducing server-side Python interaction in very simple cases. http://anh.cs.luc.edu/python/hands-on/3.1/handsonHtml/ch4.html It does come well after function introduction. Dr. Andrew N. Harrington Computer Science Department Graduate Program Director gpd@cs.luc.edu Loyola University Chicago 207 Doyle Center, 1052 W Loyola Ave. http://www.cs.luc.edu/~anh Phone: 773-508-3569 Dept. Fax: 773-508-3739 aharrin@luc.edu (as professor, not gpd role) On Sat, Mar 31, 2018 at 8:20 PM, Wes Turner <wes.turner@gmail.com> wrote:
Web programming is fun but dangerous. Things as simple as 'it reads a file off the disk and sends it to the user' can unintentionally expose every readable file to whoever or whatever can access localhost.
```python os.path.join('here', '/etc/shadow') path = 'here/' + '../../../../etc/shadow' ```
All of the examples in this thread are susceptible to XSS (Cross Site Scripting) and CSRF (Cross-site Request Forgery). Don't feel bad; many college web programming courses teach dangerous methods, too.
XSS: ``` x = """</body><script>alert('download_mining_script()')</script>""" return f'<html><body>{x}' """
Bottle has multiple templating engines which escape user-supplied input (in order to maintain a separation between data and code).
Like XSS, SQLi is also a 'code injection' issue. pypi:Records can use SQLAlchemy. Django is a great framework with a built-in ORM that also escapes SQL queries.
CSRF: - X posts an XSS to site A that POSTs to site B - 100 users view site A - [...]
http://bottle-utils.readthedocs.io/en/latest/csrf.html
https://bottlepy.org/docs/dev/tutorial.html#html-form-handling
OWASP has a lot of information on WebSec:
OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP Vulnerable Web Applications Directory Project (VWAD) https://github.com/OWASP/OWASP-VWAD
Any program or user on the system can read and write to localhost.
On Saturday, March 31, 2018, Wes Turner <wes.turner@gmail.com> wrote:
Bottle is a single file web microframework.
https://github.com/bottlepy/bottle https://github.com/bottlepy/bottle/blob/master/bottle.py
Example: "Hello World" in a bottle
```python from bottle import route, run, template
@route('/hello/<name>') def index(name): return template('<b>Hello {{name}}</b>!', name=name)
run(host='localhost', port=8080) ```
There are docs and every function is Ctrl-F'able within bottle.py.
On Friday, March 30, 2018, kirby urner <kirby.urner@gmail.com> wrote:
Very interesting. I note that free users are relegated to Python 2.7
Server modules can be Python 3.6 (outside the free version)
Client stuff compiles to JavaScript and is approximately 2.7
That's a bit confusing maybe. I try to avoid 2.7 but that's not easy.
In my Coding with Kids work, we use Codesters.com to teach Python, which depends on Skulpt. Also 2.x ish.
Kirby
On Fri, Mar 30, 2018 at 11:49 AM, Jason Blum <jason.blum@gmail.com> wrote:
http://anvil.works/ is a pretty interesting approach to Python web applications.
On Fri, Mar 30, 2018 at 2:05 PM, kirby urner <kirby.urner@gmail.com> wrote:
Hi Aivar --
I think it's a fine idea to write simple Python scripts that write HTML files, which you may then pull up in the browser.
There's no need to put a server behind static web pages. So, for example, I'll have my students write a page of bookmarks:
# -*- coding: utf-8 -*- """ Created on Wed Nov 4 18:02:30 2015
@author: Kirby Urner """
# tuple of tuples bookmarks = ( ("Anaconda.org", "http://anaconda.org"), ("Python.org", "http://python.org"), ("Python Docs", "https://docs.python.org/3/"), ("Spaghetti Code", "http://c2.com/cgi/wiki?SpaghettiCode"), ("Structured Programming", "http://c2.com/cgi/wiki?Struct uredProgramming"), ("Map of Languages", "http://archive.oreilly.com/pu b/a/oreilly//news/languageposter_0504.html"), ("XKCD", "http://xkcd.com"), )
page = '''\ <!DOCTYPE HTML> {} '''
html = """\ <HTML> <HEAD> <TITLE>Bookmarks for Python</TITLE> </HEAD> <BODY> <H3>Bookmarks</H3> <BR /> <UL> {} </UL> </BODY> </HTML> """.lower()
the_body = "" for place, url in bookmarks: the_body += "<li><a href='{}'>{}</a></li>\n".format(url, place)
webpage = open("links.html", "w") print(page.format(html.format(the_body)), file=webpage) webpage.close()
All you need add to your example is using print() to save to a file, so the browser has something to open.
I would not call this a "web app" yet it's instructive in showing how Python can write HTML files.
Kirby
On Wed, Mar 28, 2018 at 12:18 AM, Aivar Annamaa <aivar.annamaa@ut.ee> wrote:
Hi! Let's say my students are able to write programs like this:
name = input("name")
if name == "Pete": greeting = "Hi" else: greeting = "Hello!"
print(f""" <html> <body> {greeting} {name}! </body> </html> """)
I'd like to allow them start writing web-apps without introducing functions first (most web-frameworks require functions).
It occurred to me that it's not hard to create a wrapper, which presents this code as a web-app (input would be patched to look up GET or POST parameters with given name).
This approach would allow simple debugging of the code on local machine and no extra libraries are required in this phase.
Any opinions on this? Has this been tried before?
best regards, Aivar
_______________________________________________ Edu-sig mailing list Edu-sig@python.org https://mail.python.org/mailman/listinfo/edu-sig
_______________________________________________ Edu-sig mailing list Edu-sig@python.org https://mail.python.org/mailman/listinfo/edu-sig
web2py was written by a college professor to teach web development on a tight schedule. he didn't like the existing ones that took too long to get a Hello World thing up and running. "pick a db engine" is not something that needs to be part of the 2 hours of class time this week. but, it is targeting web development, not Python. And I am pretty sure it wants functions and a few other stated requirements. The only reason I bring it up is it may be a better fit that any of the other proposed ideas, and its install really is: http://www.web2py.com/init/default/download "After download, unzip it and click on web2py.exe (windows) or web2py.app (osx). To run from source, type: python2.7 web2py.py" (I guess Linux users are good with "run from source") I can confirm it works, but I have never done anything real, but I know people who have, so I would not be afraid of it. OTOH, it may not be the solution you are looking for, and that's fine. On Mon, Apr 2, 2018 at 3:20 PM, Andrew Harrington <aharrin@luc.edu> wrote:
Bottle sound like it makes things very simple. I also have a chapter introducing server-side Python interaction in very simple cases. http://anh.cs.luc.edu/python/hands-on/3.1/handsonHtml/ch4.html It does come well after function introduction.
Dr. Andrew N. Harrington Computer Science Department Graduate Program Director gpd@cs.luc.edu Loyola University Chicago 207 Doyle Center, 1052 W Loyola Ave. http://www.cs.luc.edu/~anh Phone: 773-508-3569 Dept. Fax: 773-508-3739 aharrin@luc.edu (as professor, not gpd role)
On Sat, Mar 31, 2018 at 8:20 PM, Wes Turner <wes.turner@gmail.com> wrote:
Web programming is fun but dangerous. Things as simple as 'it reads a file off the disk and sends it to the user' can unintentionally expose every readable file to whoever or whatever can access localhost.
```python os.path.join('here', '/etc/shadow') path = 'here/' + '../../../../etc/shadow' ```
All of the examples in this thread are susceptible to XSS (Cross Site Scripting) and CSRF (Cross-site Request Forgery). Don't feel bad; many college web programming courses teach dangerous methods, too.
XSS: ``` x = """</body><script>alert('download_mining_script()')</script>""" return f'<html><body>{x}' """
Bottle has multiple templating engines which escape user-supplied input (in order to maintain a separation between data and code).
Like XSS, SQLi is also a 'code injection' issue. pypi:Records can use SQLAlchemy. Django is a great framework with a built-in ORM that also escapes SQL queries.
CSRF: - X posts an XSS to site A that POSTs to site B - 100 users view site A - [...]
http://bottle-utils.readthedocs.io/en/latest/csrf.html
https://bottlepy.org/docs/dev/tutorial.html#html-form-handling
OWASP has a lot of information on WebSec:
OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP Vulnerable Web Applications Directory Project (VWAD) https://github.com/OWASP/OWASP-VWAD
Any program or user on the system can read and write to localhost.
On Saturday, March 31, 2018, Wes Turner <wes.turner@gmail.com> wrote:
Bottle is a single file web microframework.
https://github.com/bottlepy/bottle https://github.com/bottlepy/bottle/blob/master/bottle.py
Example: "Hello World" in a bottle
```python from bottle import route, run, template
@route('/hello/<name>') def index(name): return template('<b>Hello {{name}}</b>!', name=name)
run(host='localhost', port=8080) ```
There are docs and every function is Ctrl-F'able within bottle.py.
On Friday, March 30, 2018, kirby urner <kirby.urner@gmail.com> wrote:
Very interesting. I note that free users are relegated to Python 2.7
Server modules can be Python 3.6 (outside the free version)
Client stuff compiles to JavaScript and is approximately 2.7
That's a bit confusing maybe. I try to avoid 2.7 but that's not easy.
In my Coding with Kids work, we use Codesters.com to teach Python, which depends on Skulpt. Also 2.x ish.
Kirby
On Fri, Mar 30, 2018 at 11:49 AM, Jason Blum <jason.blum@gmail.com> wrote:
http://anvil.works/ is a pretty interesting approach to Python web applications.
On Fri, Mar 30, 2018 at 2:05 PM, kirby urner <kirby.urner@gmail.com> wrote:
Hi Aivar --
I think it's a fine idea to write simple Python scripts that write HTML files, which you may then pull up in the browser.
There's no need to put a server behind static web pages. So, for example, I'll have my students write a page of bookmarks:
# -*- coding: utf-8 -*- """ Created on Wed Nov 4 18:02:30 2015
@author: Kirby Urner """
# tuple of tuples bookmarks = ( ("Anaconda.org", "http://anaconda.org"), ("Python.org", "http://python.org"), ("Python Docs", "https://docs.python.org/3/"), ("Spaghetti Code", "http://c2.com/cgi/wiki?SpaghettiCode"), ("Structured Programming", "http://c2.com/cgi/wiki?StructuredProgramming"), ("Map of Languages", "http://archive.oreilly.com/pub/a/oreilly//news/languageposter_0504.html"), ("XKCD", "http://xkcd.com"), )
page = '''\ <!DOCTYPE HTML> {} '''
html = """\ <HTML> <HEAD> <TITLE>Bookmarks for Python</TITLE> </HEAD> <BODY> <H3>Bookmarks</H3> <BR /> <UL> {} </UL> </BODY> </HTML> """.lower()
the_body = "" for place, url in bookmarks: the_body += "<li><a href='{}'>{}</a></li>\n".format(url, place)
webpage = open("links.html", "w") print(page.format(html.format(the_body)), file=webpage) webpage.close()
All you need add to your example is using print() to save to a file, so the browser has something to open.
I would not call this a "web app" yet it's instructive in showing how Python can write HTML files.
Kirby
On Wed, Mar 28, 2018 at 12:18 AM, Aivar Annamaa <aivar.annamaa@ut.ee> wrote: > > Hi! > > Let's say my students are able to write programs like this: > > name = input("name") > > if name == "Pete": > greeting = "Hi" > else: > greeting = "Hello!" > > print(f""" > <html> > <body> > {greeting} {name}! > </body> > </html> > """) > > I'd like to allow them start writing web-apps without introducing > functions first (most web-frameworks require functions). > > It occurred to me that it's not hard to create a wrapper, which > presents this code as a web-app (input would be patched to look up GET or > POST parameters with given name). > > This approach would allow simple debugging of the code on local > machine and no extra libraries are required in this phase. > > Any opinions on this? Has this been tried before? > > best regards, > Aivar > > > _______________________________________________ > Edu-sig mailing list > Edu-sig@python.org > https://mail.python.org/mailman/listinfo/edu-sig >
_______________________________________________ Edu-sig mailing list Edu-sig@python.org https://mail.python.org/mailman/listinfo/edu-sig
_______________________________________________ Edu-sig mailing list Edu-sig@python.org https://mail.python.org/mailman/listinfo/edu-sig
Big thank you to everybody for the pointers! I have now lot to test and think about. best regards, Aivar 03.04.2018 02:16 Carl Karsten kirjutas:
web2py was written by a college professor to teach web development on a tight schedule. he didn't like the existing ones that took too long to get a Hello World thing up and running. "pick a db engine" is not something that needs to be part of the 2 hours of class time this week.
but, it is targeting web development, not Python. And I am pretty sure it wants functions and a few other stated requirements. The only reason I bring it up is it may be a better fit that any of the other proposed ideas, and its install really is:
http://www.web2py.com/init/default/download "After download, unzip it and click on web2py.exe (windows) or web2py.app (osx). To run from source, type: python2.7 web2py.py" (I guess Linux users are good with "run from source")
I can confirm it works, but I have never done anything real, but I know people who have, so I would not be afraid of it.
OTOH, it may not be the solution you are looking for, and that's fine.
On Mon, Apr 2, 2018 at 3:20 PM, Andrew Harrington <aharrin@luc.edu> wrote:
Bottle sound like it makes things very simple. I also have a chapter introducing server-side Python interaction in very simple cases. http://anh.cs.luc.edu/python/hands-on/3.1/handsonHtml/ch4.html It does come well after function introduction.
Dr. Andrew N. Harrington Computer Science Department Graduate Program Director gpd@cs.luc.edu Loyola University Chicago 207 Doyle Center, 1052 W Loyola Ave. http://www.cs.luc.edu/~anh Phone: 773-508-3569 Dept. Fax: 773-508-3739 aharrin@luc.edu (as professor, not gpd role)
On Sat, Mar 31, 2018 at 8:20 PM, Wes Turner <wes.turner@gmail.com> wrote:
Web programming is fun but dangerous. Things as simple as 'it reads a file off the disk and sends it to the user' can unintentionally expose every readable file to whoever or whatever can access localhost.
```python os.path.join('here', '/etc/shadow') path = 'here/' + '../../../../etc/shadow' ```
All of the examples in this thread are susceptible to XSS (Cross Site Scripting) and CSRF (Cross-site Request Forgery). Don't feel bad; many college web programming courses teach dangerous methods, too.
XSS: ``` x = """</body><script>alert('download_mining_script()')</script>""" return f'<html><body>{x}' """
Bottle has multiple templating engines which escape user-supplied input (in order to maintain a separation between data and code).
Like XSS, SQLi is also a 'code injection' issue. pypi:Records can use SQLAlchemy. Django is a great framework with a built-in ORM that also escapes SQL queries.
CSRF: - X posts an XSS to site A that POSTs to site B - 100 users view site A - [...]
http://bottle-utils.readthedocs.io/en/latest/csrf.html
https://bottlepy.org/docs/dev/tutorial.html#html-form-handling
OWASP has a lot of information on WebSec:
OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP Vulnerable Web Applications Directory Project (VWAD) https://github.com/OWASP/OWASP-VWAD
Any program or user on the system can read and write to localhost.
On Saturday, March 31, 2018, Wes Turner <wes.turner@gmail.com> wrote:
Bottle is a single file web microframework.
https://github.com/bottlepy/bottle https://github.com/bottlepy/bottle/blob/master/bottle.py
Example: "Hello World" in a bottle
from bottle import route, run, template @route('/hello/<name>') def index(name): return template('<b>Hello {{name}}</b>!', name=name) run(host='localhost', port=8080)
There are docs and every function is Ctrl-F'able within bottle.py.
On Friday, March 30, 2018, kirby urner <kirby.urner@gmail.com> wrote:
Very interesting. I note that free users are relegated to Python 2.7
Server modules can be Python 3.6 (outside the free version)
Client stuff compiles to JavaScript and is approximately 2.7
That's a bit confusing maybe. I try to avoid 2.7 but that's not easy.
In my Coding with Kids work, we use Codesters.com to teach Python, which depends on Skulpt. Also 2.x ish.
Kirby
On Fri, Mar 30, 2018 at 11:49 AM, Jason Blum <jason.blum@gmail.com> wrote:
http://anvil.works/ is a pretty interesting approach to Python web applications.
On Fri, Mar 30, 2018 at 2:05 PM, kirby urner <kirby.urner@gmail.com> wrote: > > Hi Aivar -- > > I think it's a fine idea to write simple Python scripts that write > HTML files, which you may then pull up in the browser. > > There's no need to put a server behind static web pages. So, for > example, I'll have my students write a page of bookmarks: > > # -*- coding: utf-8 -*- > """ > Created on Wed Nov 4 18:02:30 2015 > > @author: Kirby Urner > """ > > # tuple of tuples > bookmarks = ( > ("Anaconda.org", "http://anaconda.org"), > ("Python.org", "http://python.org"), > ("Python Docs", "https://docs.python.org/3/"), > ("Spaghetti Code", "http://c2.com/cgi/wiki?SpaghettiCode"), > ("Structured Programming", > "http://c2.com/cgi/wiki?StructuredProgramming"), > ("Map of Languages", > "http://archive.oreilly.com/pub/a/oreilly//news/languageposter_0504.html"), > ("XKCD", "http://xkcd.com"), > ) > > page = '''\ > <!DOCTYPE HTML> > {} > ''' > > html = """\ > <HTML> > <HEAD> > <TITLE>Bookmarks for Python</TITLE> > </HEAD> > <BODY> > <H3>Bookmarks</H3> > <BR /> > <UL> > {} > </UL> > </BODY> > </HTML> > """.lower() > > the_body = "" > for place, url in bookmarks: > the_body += "<li><a href='{}'>{}</a></li>\n".format(url, place) > > webpage = open("links.html", "w") > print(page.format(html.format(the_body)), file=webpage) > webpage.close() > > All you need add to your example is using print() to save to a file, > so the browser has something to open. > > I would not call this a "web app" yet it's instructive in showing how > Python can write HTML files. > > Kirby > > > > On Wed, Mar 28, 2018 at 12:18 AM, Aivar Annamaa <aivar.annamaa@ut.ee> > wrote: >> Hi! >> >> Let's say my students are able to write programs like this: >> >> name = input("name") >> >> if name == "Pete": >> greeting = "Hi" >> else: >> greeting = "Hello!" >> >> print(f""" >> <html> >> <body> >> {greeting} {name}! >> </body> >> </html> >> """) >> >> I'd like to allow them start writing web-apps without introducing >> functions first (most web-frameworks require functions). >> >> It occurred to me that it's not hard to create a wrapper, which >> presents this code as a web-app (input would be patched to look up GET or >> POST parameters with given name). >> >> This approach would allow simple debugging of the code on local >> machine and no extra libraries are required in this phase. >> >> Any opinions on this? Has this been tried before? >> >> best regards, >> Aivar >> >> >> _______________________________________________ >> Edu-sig mailing list >> Edu-sig@python.org >> https://mail.python.org/mailman/listinfo/edu-sig >> > > _______________________________________________ > Edu-sig mailing list > Edu-sig@python.org > https://mail.python.org/mailman/listinfo/edu-sig >
_______________________________________________ Edu-sig mailing list Edu-sig@python.org https://mail.python.org/mailman/listinfo/edu-sig
_______________________________________________ Edu-sig mailing list Edu-sig@python.org https://mail.python.org/mailman/listinfo/edu-sig
On Mon, Apr 2, 2018 at 4:16 PM, Carl Karsten <carl@nextdayvideo.com> wrote: ...
http://www.web2py.com/init/default/download "After download, unzip it and click on web2py.exe (windows) or web2py.app (osx). To run from source, type: python2.7 web2py.py" (I guess Linux users are good with "run from source")
I see it also runs under Python 3.5/3.6 http://www.web2py.com/init/default/what Great. Handsome website too! I have a hard time recommending 2.7-based tools to any newcomers to Python, echoing Guido: https://youtu.be/GudJlbK4TY8 Kirby
I made a small adapter for web2py to be used nearly as PHP for beginners :) web2py templates have the code-html mix with full Python syntax enabled (just indentation is ignored with html, so "pass" is used to end logical block). so with my example you can programm just templates (views) https://jurgisvcs.pythonanywhere.com/web2py_tutor/lesson_PHP_alike/ ps.: error messages if syntax is messed in template might be hard to track (compared to PHP) On Wed, Apr 4, 2018 at 12:59 AM, kirby urner <kirby.urner@gmail.com> wrote:
On Mon, Apr 2, 2018 at 4:16 PM, Carl Karsten <carl@nextdayvideo.com> wrote:
...
http://www.web2py.com/init/default/download "After download, unzip it and click on web2py.exe (windows) or web2py.app (osx). To run from source, type: python2.7 web2py.py" (I guess Linux users are good with "run from source")
I see it also runs under Python 3.5/3.6
http://www.web2py.com/init/default/what
Great. Handsome website too!
I have a hard time recommending 2.7-based tools to any newcomers to Python, echoing Guido: https://youtu.be/GudJlbK4TY8
Kirby
_______________________________________________ Edu-sig mailing list Edu-sig@python.org https://mail.python.org/mailman/listinfo/edu-sig
-- Jurgis Pralgauskis tel: 8-616 77613; Don't worry, be happy and make things better ;) http://kompiuterija.pasimokom.lt
participants (5)
-
Aivar Annamaa
-
Andrew Harrington
-
Carl Karsten
-
Jurgis Pralgauskis
-
kirby urner