Testers wanted - new Python DHTML framework

Moshe Zadka m at moshez.org
Wed Jul 16 13:05:51 CEST 2003

On Wed, 16 Jul 2003, David McNab <postmaster at> wrote:

>  - easy to learn and use

Have you demonstrated it? Did you give the documentation to someone,
and had him writing useful software? Or is this just an assumption
based on the fact that you find it easy to use, and did not have
to learn it?

>  - lets you build your pages with a simple, intuitive and coherent
>    document object model (DOM)

Is your DOM more simple, intuitive and coherent than minidom? microdom?
DOM is usually used in reference to the W3C standard. If you deviate
from the standard, it's probably best not to call what you have "DOM".

>  - extremely extensible

Did you try to extend it, and are reporting success? With two different
extension directions? Or is this, again, an assumption?

> , lends itself well to templating

You mean each person has to implement templating on his own? Or does
it have a templating system?

>  - oersistent datastore that is stored on browser as compressed cookes.
>    secured via hmac/sha1, can store 10-25k of data on browser.

That probably depends on the browser. The standard states:
      * at least 4096 bytes per cookie (as measured by the size of the
        characters that comprise the cookie non-terminal in the syntax
        description of the Set-Cookie header)
which means that cookies might get cut off or not stored at all by
the client. You might be splitting the cookies off transparently, which
should let you go up to 80k, but would probably make the job of anyone
wanting to send his own cookies hard.

The standard also says, however,
Applications should use as few and as small cookies as possible, and they
should cope gracefully with the loss of a cookie. 
[All quotes are from http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2109.html]

>    Accessed in
>    python code by simply reading and setting attributes of an object

It also matters, probably, that you use a secure RNG generator for the
"secret" in the sha1/hmac schemes, otherwise a malicious client can still
force you to execute code. The RNG in Python, for example, is
        if a is None:
            # Initialize from current time
            import time
            a = long(time.time() * 256)
Since your server graciously sends the time, then if this is done via
CGI the client can try guessing several values for the time. CGI applications
usually run less than five seconds, so the client can even perform a brute
force attack.

> All feedback gratefully received.

Moshe Zadka -- http://moshez.org/
Buffy: I don't like you hanging out with someone that... short.
Riley: Yeah, a lot of young people nowadays are experimenting with shortness.
Agile Programming Language -- http://www.python.org/

More information about the Python-list mailing list