306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
|
+ **wapp-clear-cookie** _NAME_
Erase the cookie _NAME_.
+ **wapp-safety-check**
Examine all TCL procedures in the application and report errors about
unsafe usage of "wapp".
+ **wapp-unsafe** _TEXT_
Add _TEXT_ to the web page under construction even though _TEXT_ does
contain TCL variable and command substitutions. The application developer
must ensure that the variable and command substitutions does not allow
XSS attacks. Avoid using this command. The use of "wapp-subst" is
preferred in most situations.
+ **wapp-escape-html** _TEXT_
Add _TEXT_ to the web page under construction after first escaping any
HTML markup contained with _TEXT_. This command is equivalent to
"wapp-subst {%html(_TEXT_)}".
+ **wapp-escape-url** _TEXT_
Add _TEXT_ to the web page under construction after first escaping any
characters so that the result is safe to include as the value of a
query parameter on a URL. This command is equivalent to
"wapp-subst {%url(_TEXT_)}".
The following additional interfaces are envisioned, but are not yet
implemented:
+ **wapp-send-hex** _HEX_
Cause the HTTP reply to be binary that is constructed from the
hexadecimal text in the _HEX_ argument. Whitespace in _HEX_ is ignored.
This command is useful for returning small images from a pure script
input. The "wapp-file-to-hex" command can be used at development time
to generate appropriate _HEX_ for an image file.
+ **wapp-cache-control** _CONTROL_
The _CONTROL_ argument should be one of "no-cache", "max-age=N", or
"private,max-age=N", where N is an integer number of seconds.
|
|
<
<
<
<
<
|
<
<
<
<
|
<
<
<
<
<
<
<
<
<
<
|
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
|
+ **wapp-clear-cookie** _NAME_
Erase the cookie _NAME_.
+ **wapp-safety-check**
Examine all TCL procedures in the application and report errors about
unsafe usage of "wapp".
+ **wapp-cache-control** _CONTROL_
The _CONTROL_ argument should be one of "no-cache", "max-age=N", or
"private,max-age=N", where N is an integer number of seconds.
The following additional interfaces are envisioned, but are not yet
implemented:
+ **wapp-send-hex** _HEX_
Cause the HTTP reply to be binary that is constructed from the
hexadecimal text in the _HEX_ argument. Whitespace in _HEX_ is ignored.
This command is useful for returning small images from a pure script
input. The "wapp-file-to-hex" command can be used at development time
to generate appropriate _HEX_ for an image file.
+ **wapp-etag** _ETAG_
Set the expiration tag for the web page.
+ **wapp-send-file** _FILENAME_
Make the content of the file _FILENAME_ be the HTTP reply.
+ **wapp-send-query** _DB_ _SQL_
|
363
364
365
366
367
368
369
370
371
372
373
374
375
376
|
+ **wapp-debug-port** _PORT_
For debugging use only: open a listening TCP socket on _PORT_ and run
an interactive TCL shell on connections to that port. This allows for
interactive debugging of a running instance of the Wapp server. This
command is a no-op for short-lived CGI programs, obviously. Also, this
command should only be used during debugging, as otherwise it introduces
a severe security vulnerability into the application.
6.0 Limitations
---------------
Each Wapp process is single-threaded.
The fileevent command is used to allow accepting multiple simultaneous
HTTP requests. However, as soon as a complete request is received, and
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
|
+ **wapp-debug-port** _PORT_
For debugging use only: open a listening TCP socket on _PORT_ and run
an interactive TCL shell on connections to that port. This allows for
interactive debugging of a running instance of the Wapp server. This
command is a no-op for short-lived CGI programs, obviously. Also, this
command should only be used during debugging, as otherwise it introduces
a severe security vulnerability into the application.
The following interfaces are deprecated. They currently exist for
compatibility but might disappear at any moment.
+ **wapp-unsafe** _TEXT_
Add _TEXT_ to the web page under construction even though _TEXT_ does
contain TCL variable and command substitutions. The application developer
must ensure that the variable and command substitutions does not allow
XSS attacks. Avoid using this command. The use of "wapp-subst" is
preferred in most situations.
+ **wapp-escape-html** _TEXT_
Add _TEXT_ to the web page under construction after first escaping any
HTML markup contained with _TEXT_. This command is equivalent to
"wapp-subst {%html(_TEXT_)}".
+ **wapp-escape-url** _TEXT_
Add _TEXT_ to the web page under construction after first escaping any
characters so that the result is safe to include as the value of a
query parameter on a URL. This command is equivalent to
"wapp-subst {%url(_TEXT_)}".
6.0 Limitations
---------------
Each Wapp process is single-threaded.
The fileevent command is used to allow accepting multiple simultaneous
HTTP requests. However, as soon as a complete request is received, and
|