1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
Wapp - A Web-Application Framework for TCL
==========================================
1.0 Introduction
----------------
Wapp is a framework for writing web applications in TCL.
Wapp has the following advantages:
* Small API surface → Simple to learn and use
* Efficient
* Self-contained
* Resistant to attacks and exploits
* Yields applications that are trival to enhance and maintain
* Cross-platform - works with any web server, or runs stand-alone
* A complete application is contained in a single TCL script
* The Wapp framework itself is also just a single TCL script
that is "source"-ed, "package require"-ed,
or even copy/pasted into the application TCL script
2.0 The Problem That Wapp Attempts To Solve
-------------------------------------------
Do you ever need
a simple script to provide a list of files (such as on a download page),
or small app to manage conference room scheduling for the office, or
a few simple pages to monitor or manage the status of a server?
These sorts of problems are traditionally handled with ad-hoc
CGI scripts using libraries that decode the HTTP request and
safely encoding the reply. This presents a number of problems:
* A single application typically involves multiple files. There
will be CSS and javascript files and other resources, plus at
least one file for each distinct URI serviced by the application.
This makes long-term maintenance difficult because people lose
track of which files in the web hierarchy belong to which applications.
* The implementation will typically only work with a single
stack. Case in point: the web interface for the MailMan
mailing list manager only works on Apache, so if you are running
something different you are out of luck.
* Because the implementation is tied to a single stack, the
application development environment must mirror the deployment
environment. To debug or enhance an application running on
web server X, the developer must set up an instance of X on the
development machine, or else do risky development work directly
on the production machine.
* Great care is required to safely decoding HTTP parameters and
encoding HTML and JSON, so as to avoid injection attacks.
A single slip-up can result in a vulnerability.
Wapp seeks to overcome these problems by providing a mechanism to create
powerful applications contained within a single file of easily-readable
TCL script. Deployment options are flexible:
1. During development, a Wapp application can be run from the
command-line, using a built-in web server listening on the
loopback IP addrss. Whenever Wapp is run in this mode, it
also automatically brings up the start page for the application
in the systems default web browser.
2. The built-in web-server in Wapp can also be used in deployment
by having it listen on a low-numbered port and on public facing
IP addresses.
3. Wapp applications can be run as CGI on systems like Apache.
4. Wapp applications can be run as SCGI on systems like Nginx.
All four deployment options use the same application code and present the
same interface to the application user. Method (1) is normally used during
development and maintenance. After testing, the single script file
that implements
the application is pushed out to servers for deployment using one of
options (2), (3), or (4). In this way, Wapp applications are easy to
manage and are not tied to any particular web stack.
Wapp applications are inheriently resistant against XSS and CSRF attacks.
Safety features such as safe parameter decoding and HTML/JSON encoding and
Content Security Policy (CSP) are enabled by default. This enables
developers to spend more time working on the application, and less
time worrying about whether or not they have introduced some security
hole by failing to safely encode or decode content.
|
|
|
|
|
<
<
|
<
>
|
|
|
<
<
<
<
<
|
|
|
<
<
<
>
>
|
<
>
|
<
<
<
<
>
<
<
|
<
<
|
<
<
<
|
|
<
<
<
>
|
|
<
<
|
|
<
<
<
>
<
|
<
<
<
<
<
<
<
>
<
<
<
|
|
<
>
>
>
>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
Wapp - A Web-Application Framework for TCL
==========================================
1.0 Introduction
----------------
Wapp is a new framework for writing web applications in TCL,
with the following advantages:
* Very small API surface → Simple to learn and use
* A complete application is contained in a single file
* Resistant to attacks and exploits
* Cross-platform → Works via CGI, SCGI, or using a built-in web server
* Does not require MVC, but can do MVC if desired
* The Wapp framework itself is a single-file TCL script
that is "source"-ed, "package require"-ed,
or even copy/pasted into the application TCL script
2.0 Hello World
---------------
Here is a minimal web application written using Wapp:
>
#!/usr/bin/tclsh
package require wapp
proc wapp-default {} {
wapp-subst {<h1>Hello, World!</h1>\n}
}
wapp-start $argv
To run this application using the built-in web-server, store the code above
in a file (here we use the name "hello.tcl") and do:
>
tclsh hello.tcl
To run the app using the built-in web-server bound to all TCP addresses
and listening on port 8080, use:
>
tclsh hello.tcl --server 8080
To run the app as an SCGI server listening on port 9001:
>
tclsh hello.tcl --scgi 9001
To run the application as CGI, make the hello.tcl file executable and
move into the appropriate directory of your web server.
3.0 Further information
-----------------------
* [Introduction To Writing Wapp Applications](docs/intro.md)
* [Quick Reference](docs/quickref.md)
* [Wapp Parameters](docs/params.md)
* [Wapp Commands](docs/commands.md)
* [URL Mapping](docs/urlmapping.md)
* [Security Features](docs/security.md)
* [Limitations of Wapp](docs/limitations.md)
* [Example Applications](/file/examples)
|