[Edu-sig] Simplest webapps

Aivar Annamaa aivar.annamaa at ut.ee
Tue Apr 3 17:39:59 EDT 2018 

Big thank you to everybody for the pointers!

I have now lot to test and think about.

best regards,
Aivar


03.04.2018 02:16 Carl Karsten kirjutas:
> web2py was written by a college professor to teach web development on
> a tight schedule. he didn't like the existing ones that took too long
> to get a Hello World thing up and running.   "pick a db engine" is not
> something that needs to be part of the 2 hours of class time this
> week.
>
> but, it is targeting web development, not Python. And I am pretty sure
> it wants functions and a few other stated requirements.   The only
> reason I bring it up is it may be a better fit that any of the other
> proposed ideas, and its install really is:
>
> http://www.web2py.com/init/default/download
> "After download, unzip it and click on web2py.exe (windows) or
> web2py.app (osx). To run from source, type: python2.7 web2py.py"   (I
> guess Linux users are good with "run from source")
>
> I can confirm it works, but I have never done anything real, but I
> know people who have, so I would not be afraid of it.
>
> OTOH, it may not be the solution you are looking for, and that's fine.
>
>
>
>
>
>
>
> On Mon, Apr 2, 2018 at 3:20 PM, Andrew Harrington <aharrin at luc.edu> wrote:
>> Bottle sound like it makes things very simple.
>> I also have a chapter introducing server-side Python interaction in very
>> simple cases.
>> http://anh.cs.luc.edu/python/hands-on/3.1/handsonHtml/ch4.html
>> It does come well after function introduction.
>>
>> Dr. Andrew N. Harrington
>>    Computer Science Department
>>    Graduate Program Director gpd at cs.luc.edu
>>    Loyola University Chicago
>>    207 Doyle Center, 1052 W Loyola Ave.
>> http://www.cs.luc.edu/~anh
>> Phone: 773-508-3569
>> Dept. Fax:    773-508-3739
>> aharrin at luc.edu (as professor, not gpd role)
>>
>> On Sat, Mar 31, 2018 at 8:20 PM, Wes Turner <wes.turner at gmail.com> wrote:
>>> Web programming is fun but dangerous.
>>> Things as simple as 'it reads a file off the disk and sends it to the
>>> user' can unintentionally expose every readable file to whoever or whatever
>>> can access localhost.
>>>
>>> ```python
>>> os.path.join('here', '/etc/shadow')
>>> path = 'here/' + '../../../../etc/shadow'
>>> ```
>>>
>>> All of the examples in this thread are susceptible to XSS (Cross Site
>>> Scripting) and CSRF (Cross-site Request Forgery). Don't feel bad; many
>>> college web programming courses teach dangerous methods, too.
>>>
>>> XSS:
>>> ```
>>> x = """</body><script>alert('download_mining_script()')</script>"""
>>> return f'<html><body>{x}'
>>> """
>>>
>>> Bottle has multiple templating engines which escape user-supplied input
>>> (in order to maintain a separation between data and code).
>>>
>>> Like XSS, SQLi is also a 'code injection' issue. pypi:Records can use
>>> SQLAlchemy. Django is a great framework with a built-in ORM that also
>>> escapes SQL queries.
>>>
>>> CSRF:
>>> - X posts an XSS to site A that POSTs to site B
>>> - 100 users view site A
>>> - [...]
>>>
>>> http://bottle-utils.readthedocs.io/en/latest/csrf.html
>>>
>>> https://bottlepy.org/docs/dev/tutorial.html#html-form-handling
>>>
>>> OWASP has a lot of information on WebSec:
>>>
>>> OWASP Top 10
>>> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
>>>
>>> The OWASP Vulnerable Web Applications Directory Project (VWAD)
>>> https://github.com/OWASP/OWASP-VWAD
>>>
>>> Any program or user on the system can read and write to localhost.
>>>
>>>
>>> On Saturday, March 31, 2018, Wes Turner <wes.turner at gmail.com> wrote:
>>>> Bottle is a single file web microframework.
>>>>
>>>> https://github.com/bottlepy/bottle
>>>> https://github.com/bottlepy/bottle/blob/master/bottle.py
>>>>
>>>>> Example: "Hello World" in a bottle
>>>> ```python
>>>> from bottle import route, run, template
>>>>
>>>> @route('/hello/<name>')
>>>> def index(name):
>>>>      return template('<b>Hello {{name}}</b>!',
>>>>          name=name)
>>>>
>>>> run(host='localhost', port=8080)
>>>> ```
>>>>
>>>> There are docs and every function is Ctrl-F'able within bottle.py.
>>>>
>>>> On Friday, March 30, 2018, kirby urner <kirby.urner at gmail.com> wrote:
>>>>>
>>>>> Very interesting.  I note that free users are relegated to Python 2.7
>>>>>
>>>>> Server modules can be Python 3.6 (outside the free version)
>>>>>
>>>>> Client stuff compiles to JavaScript and is approximately 2.7
>>>>>
>>>>> That's a bit confusing maybe.  I try to avoid 2.7 but that's not easy.
>>>>>
>>>>> In my Coding with Kids work, we use Codesters.com to teach Python, which
>>>>> depends on Skulpt.  Also 2.x ish.
>>>>>
>>>>> Kirby
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Mar 30, 2018 at 11:49 AM, Jason Blum <jason.blum at gmail.com>
>>>>> wrote:
>>>>>> http://anvil.works/ is a pretty interesting approach to Python web
>>>>>> applications.
>>>>>>
>>>>>> On Fri, Mar 30, 2018 at 2:05 PM, kirby urner <kirby.urner at gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> Hi Aivar --
>>>>>>>
>>>>>>> I think it's a fine idea to write simple Python scripts that write
>>>>>>> HTML files, which you may then pull up in the browser.
>>>>>>>
>>>>>>> There's no need to put a server behind static web pages.  So, for
>>>>>>> example, I'll have my students write a page of bookmarks:
>>>>>>>
>>>>>>> # -*- coding: utf-8 -*-
>>>>>>> """
>>>>>>> Created on Wed Nov  4 18:02:30 2015
>>>>>>>
>>>>>>> @author: Kirby Urner
>>>>>>> """
>>>>>>>
>>>>>>> # tuple of tuples
>>>>>>> bookmarks = (
>>>>>>>      ("Anaconda.org", "http://anaconda.org"),
>>>>>>>      ("Python.org", "http://python.org"),
>>>>>>>      ("Python Docs", "https://docs.python.org/3/"),
>>>>>>>      ("Spaghetti Code", "http://c2.com/cgi/wiki?SpaghettiCode"),
>>>>>>>      ("Structured Programming",
>>>>>>> "http://c2.com/cgi/wiki?StructuredProgramming"),
>>>>>>>      ("Map of Languages",
>>>>>>> "http://archive.oreilly.com/pub/a/oreilly//news/languageposter_0504.html"),
>>>>>>>      ("XKCD", "http://xkcd.com"),
>>>>>>>      )
>>>>>>>
>>>>>>> page = '''\
>>>>>>> <!DOCTYPE HTML>
>>>>>>> {}
>>>>>>> '''
>>>>>>>
>>>>>>> html = """\
>>>>>>> <HTML>
>>>>>>> <HEAD>
>>>>>>> <TITLE>Bookmarks for Python</TITLE>
>>>>>>> </HEAD>
>>>>>>> <BODY>
>>>>>>> <H3>Bookmarks</H3>
>>>>>>> <BR />
>>>>>>> <UL>
>>>>>>> {}
>>>>>>> </UL>
>>>>>>> </BODY>
>>>>>>> </HTML>
>>>>>>> """.lower()
>>>>>>>
>>>>>>> the_body = ""
>>>>>>> for place, url in bookmarks:
>>>>>>>      the_body += "<li><a href='{}'>{}</a></li>\n".format(url, place)
>>>>>>>
>>>>>>> webpage = open("links.html", "w")
>>>>>>> print(page.format(html.format(the_body)), file=webpage)
>>>>>>> webpage.close()
>>>>>>>
>>>>>>> All you need add to your example is using print() to save to a file,
>>>>>>> so the browser has something to open.
>>>>>>>
>>>>>>> I would not call this a "web app" yet it's instructive in showing how
>>>>>>> Python can write HTML files.
>>>>>>>
>>>>>>> Kirby
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Mar 28, 2018 at 12:18 AM, Aivar Annamaa <aivar.annamaa at ut.ee>
>>>>>>> wrote:
>>>>>>>> Hi!
>>>>>>>>
>>>>>>>> Let's say my students are able to write programs like this:
>>>>>>>>
>>>>>>>> name = input("name")
>>>>>>>>
>>>>>>>> if name == "Pete":
>>>>>>>>      greeting = "Hi"
>>>>>>>> else:
>>>>>>>>      greeting = "Hello!"
>>>>>>>>
>>>>>>>> print(f"""
>>>>>>>> <html>
>>>>>>>> <body>
>>>>>>>> {greeting} {name}!
>>>>>>>> </body>
>>>>>>>> </html>
>>>>>>>> """)
>>>>>>>>
>>>>>>>> I'd like to allow them start writing web-apps without introducing
>>>>>>>> functions first (most web-frameworks require functions).
>>>>>>>>
>>>>>>>> It occurred to me that it's not hard to create a wrapper, which
>>>>>>>> presents this code as a web-app (input would be patched to look up GET or
>>>>>>>> POST parameters with given name).
>>>>>>>>
>>>>>>>> This approach would allow simple debugging of the code on local
>>>>>>>> machine and no extra libraries are required in this phase.
>>>>>>>>
>>>>>>>> Any opinions on this? Has this been tried before?
>>>>>>>>
>>>>>>>> best regards,
>>>>>>>> Aivar
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Edu-sig mailing list
>>>>>>>> Edu-sig at python.org
>>>>>>>> https://mail.python.org/mailman/listinfo/edu-sig
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Edu-sig mailing list
>>>>>>> Edu-sig at python.org
>>>>>>> https://mail.python.org/mailman/listinfo/edu-sig
>>>>>>>
>>
>> _______________________________________________
>> Edu-sig mailing list
>> Edu-sig at python.org
>> https://mail.python.org/mailman/listinfo/edu-sig
>>
> _______________________________________________
> Edu-sig mailing list
> Edu-sig at python.org
> https://mail.python.org/mailman/listinfo/edu-sig

More information about the Edu-sig mailing list