Wapp

#!/usr/bin/make

CFLAGS = -Os -static
CC = gcc $(CFLAGS)
OPTS = -DSQLITE_ENABLE_DESERIALIZE
TCLLIB = /home/drh/tcl/lib/libtcl8.7.a -lm -lz -lpthread -ldl
TCLINC = /home/drh/tcl/include
TCLSH = tclsh

all: wapptclsh

wapptclsh: wapptclsh.c
	$(CC) -I. -I$(TCLINC) -o $@ $(OPTS) wapptclsh.c $(TCLLIB)

wapptclsh.c:	wapptclsh.c.in wapp.tcl wapptclsh.tcl tclsqlite3.c mkccode.tcl
	$(TCLSH) mkccode.tcl wapptclsh.c.in >$@

clean:	
	rm wapptclsh wapptclsh.c

#!/usr/bin/make

CC = gcc -O0 -framework CoreFoundation
TCLLIB = /Users/drh/tcl/lib/libtcl8.7.a -lm -lz -lpthread -ldl
TCLINC = /Users/drh/tcl/include
TCLSH = /Users/drh/tcl/bin/tclsh8.7

all: wapptclsh

wapptclsh: wapptclsh.c
	$(CC) -I. -I$(TCLINC) -o $@ wapptclsh.c $(TCLLIB)

wapptclsh.c:	wapptclsh.c.in wapp.tcl wapptclsh.tcl tclsqlite3.c mkccode.tcl
	$(TCLSH) mkccode.tcl wapptclsh.c.in >$@

clean:	
	rm wapptclsh wapptclsh.c

Wapp - A Web-Application Framework for TCL
==========================================

Wapp is a framework for writing web applications in TCL,
with the following advantages:

  *   Small and simple API → easy to learn and use
  *   A complete app is a single small file of TCL
  *   Resistant to attacks and exploits
  *   Cross-platform → CGI, SCGI, or a built-in web server
  *   The Wapp framework itself is a single-file TCL script
  *   Easy to embed in a larger application, if desired
  *   2-clause BSD license

Documentation
-------------

  *  ["Hello World!" App (6 lines of code)](/doc/trunk/docs/helloworld.md)
  *  [Introduction To Writing Wapp Applications](/doc/trunk/docs/intro.md)
  *  [Quick Reference](/doc/trunk/docs/quickref.md)
  *  [Wapp Parameters](/doc/trunk/docs/params.md)
  *  [Wapp Commands](/doc/trunk/docs/commands.md)
  *  [CGI Parameters](/doc/trunk/docs/quickref.md#cgiparams)
  *  [URL Mapping](/doc/trunk/docs/urlmapping.md)
  *  [Security Features](/doc/trunk/docs/security.md)
  *  [How To Compile wapptclsh - Or Not](/doc/trunk/docs/compiling.md)
  *  [Limitations of Wapp](/doc/trunk/docs/limitations.md)
  *  [Example Applications](/file/examples)
  *  [Real-World Uses Of Wapp](/doc/trunk/docs/usageexamples.md)
  *  [Debugging Hints](/doc/trunk/docs/debughints.md)

Simple Live Demos
-----------------

  *  <https://wapp.tcl.tk/demo/>

Downloads
---------

  *   Download just the single
      [Wapp TCL file](/file/wapp.tcl?mimetype=text/plain), if you already
      have a TCL environment
  *   Download a [tarball](/tarball/wapp.tar.gz) or
      [ZIP Archive](/zip/wapp.zip) of the latest snapshot of this
      entire repository, or
  *   Clone the entire repository using the [Fossil](https://fossil-scm.org/)
      command "fossil clone [](https://wapp.tcl.tk)".

Extended And Enhanced Wapp By Oleg (lego12239)
----------------------------------------------

  *  <https://github.com/lego12239/wapp>

Wapp Commands
=============

Wapp is really just a collection of TCL procs. All procs are in a single file
named "wapp.tcl".

The procs that form the public interface for Wapp begin with "wapp-".  The
implementation uses various private procedures that have names beginning
with "wappInt-".  Applications should use the public interface only.

The most important Wapp interfaces are:

  +  **wapp-start**
  +  **wapp-subst** and **wapp-trim**
  +  **wapp-param**

Understand the four interfaces above, and you will have a good understanding
of Wapp.  The other interfaces are merely details.

The following is a complete list of the public interface procs in Wapp:

  +  **wapp-start** _ARGLIST_  
     Start up the application.  _ARGLIST_ is typically the value of $::argv,
     though it might be some subset of $::argv if the containing application
     has already processed some command-line parameters for itself.  By default,
     this proc never returns, and so it should be very last command in the
     application script.  To embed Wapp in a larger application, include
     the -nowait option in _ARGLIST_ and this proc will return immediately
     after setting up all necessary file events.

  +  <a name='wapp-subst'></a>**wapp-subst** _TEXT_  
     This command appends text to the end of reply to an HTTP request.
     The _TEXT_ argument should be enclosed in {...} to prevent 
     accidental substitutions.
     The "wapp-subst" command itself will do all necessary backslash
     substitutions.  [Command and variable substitutions](./subst.md) occur
     within "%html(...)", "%url(...)", "%qp(...)", "%string(...)", and
     "%unsafe(...)".  The substitutions are escaped (except in the case of
     "%unsafe(...)") so that the result is safe for inclusion within the
     body of an HTML document, a URL, a query parameter, or a javascript or
     JSON string literal, respectively. 

> >  <b>Caution #1:</b> When using Tcl 8.6 or
     earlier, command substitution, but not variable substitution, occurs
     outside of the quoted regions. This problem is fixed using the new
     "-command" option to the regsub command in Tcl 8.7.  Nevertheless, 
     it is suggested that you avoid using the "[" character outside of
     the %-quotes.  Use "\&#91;" instead.

> >  <b>Caution #2:</b> The %html() and similar %-substitutions are parsed
     using a regexp, which means that they cannot do matching parentheses.
     The %-substitution is terminated by the first close parenthesis, not the
     first matching close-parenthesis.

  +  <a name='wapp-trim'></a>**wapp-trim** _TEXT_  
     Just like wapp-subst, this routine appends _TEXT_ to the web page
     under construction. The same [substitution functions](./subst.md)
     are supported.  The difference is that this routine also removes
     surplus whitespace from the left margin, so that if the _TEXT_
     argument is indented in the source script, it will appear at the
     left margin in the generated output.

  +  <a name='wapp-param'></a>**wapp-param** _NAME_ _DEFAULT_  
     Return the value of the [Wapp parameter](params.md) _NAME_,
     or return _DEFAULT_ if there is no such query parameter or environment
     variable.  If _DEFAULT_ is omitted, then it is an empty string.

  +  **wapp-set-param** _NAME_ _VALUE_  
     Change the value of parameter _NAME_ to _VALUE_.  If _NAME_ does not
     currently exist, it is created.

  +  **wapp-param-exists** _NAME_  
     Return true if and only if a parameter called _NAME_ exists for the
     current request.

  +  **wapp-param-list** _GLOB_  
     Return a TCL list containing the names of all parameters for the current
     request.  The _GLOB_ argument is optional.  If provided, only parameters
     that match the GLOB pattern are returned.  If omitted, `*` is used as the
     GLOB pattern.  Note that there are several parameters that Wapp uses
     internally.  Those internal-use parameters all have names that begin
     with ".". 

  +  <a name='allow-xorigin'></a>**wapp-allow-xorigin-params**  
     Query parameters and POST parameters are usually only parsed and added
     to the set of parameters available to "wapp-param" for same-origin
     requests.  This restriction helps prevent cross-site request forgery
     (CSRF) attacks.  Query-only web pages for which it is safe to accept
     cross-site query parameters can invoke this routine to cause query
     parameters to be decoded.

  +  **wapp-mimetype** _MIMETYPE_  
     Set the MIME-type for the generated web page.  The default is "text/html".

  +  **wapp-reply-code** _CODE_  
     Set the reply-code for the HTTP request.  The default is "200 Ok".
     If this value is set to ABORT (with no numeric code, just the 5
     upper-case letters "ABORT") then Wapp will drop the connection without
     sending any reply at all.

  +  **wapp-redirect** _TARGET-URL_  
     Cause an HTTP redirect to _TARGET-URL_.

  +  **wapp-reset**  
     Reset the web page under construction back to an empty string.

  +  **wapp-set-cookie** _NAME_ _VALUE_  
     Cause the cookie _NAME_ to be set to _VALUE_.

  +  **wapp-clear-cookie** _NAME_  
     Erase the cookie _NAME_.

  +  **wapp-safety-check**  
     Examine all TCL procedures in the application and return a text string
     containing warnings about unsafe usage of Wapp commands.  This command
     is run automatically if the "wapp-start" command is invoked with a --lint
     option.

  +  **wapp-cache-control** _CONTROL_  
     The _CONTROL_ argument should be one of "no-cache", "max-age=N", or
     "private,max-age=N", where N is an integer number of seconds.

  +  <a name='csp'></a>**wapp-content-security-policy** _POLICY_  
     Set the Content Security Policy (hereafter "CSP") to _POLICY_.  The
     default CSP is _default\_src 'self'_, which is very restrictive.  The
     default CSP disallows (a) loading any resources from other origins,
     (b) the use of eval(), and (c) in-line javascript or CSS of any kind.
     Set _POLICY_ to "off" to completely disable the CSP mechanism.  Or
     specify some other policy suitable for the needs of the application.
     <p>The following allows inline images using
     &lt;img src='data:...'&gt; and inline "style='...'" attributes,
     but restricts all other attack vectors and thus seems to be a good
     choice for many applications:
     <blockquote><pre>
     wapp-content-security-policy {
        default-src 'self' data:;
        style-src 'self' 'unsafe-inline';
     }</pre><blockquote>

  +  <a name="debug-env"></a>**wapp-debug-env**  
     This routine returns text that describes all of the Wapp parameters.
     Use it to get a parameter dump for troubleshooting purposes.

  +  **wapp** _TEXT_  
     Add _TEXT_ to the web page output currently under construction.  No
     interpretation or transformation of  _TEXT_ is performed.  The _TEXT_
     is appended to the output as-is.

  +  **wapp-unsafe** _TEXT_  
     Add _TEXT_ to the web page under construction even though _TEXT_ does
     contain TCL variable and command substitutions.  The application developer
     must ensure that the variable and command substitutions does not allow
     XSS attacks.  Avoid using this command.  The use of "wapp-subst" is 
     preferred in most situations.

How To Compile, Or Not
======================

1.0 Use As Pure Tcl - No Compilation Required
---------------------------------------------

The Wapp framework is pure Tcl contained in a single file called
"[wapp.tcl](/file/wapp.tcl)".  That, and a generic "tclsh",
is all you need to run a Wapp application.

For example, when testing Wapp, the developers run the following command from
the root of the source tree:

>
    tclsh tests/test01.tcl

The [test01.tcl](/file/tests/test01.tcl) script does a "source ../wapp.tcl" to
load the Wapp framework.  No special interpreter is required.

The [search function](https://sqlite.org/search) of the SQLite homepage takes
this one step further.  The Tcl script that implements the search function embeds
the wapp.tcl script when the website is built.  The "wapp.tcl" is neither
"source"-ed nor "package require"-ed.  The wapp.tcl script is embedded into the
"search" script.

2.0 Using A Special Interpreter
-------------------------------

It is sometimes convenient to use the special "wapptclsh" interpreter to run
Wapp applications.  The "wapptclsh" works just like ordinary "tclsh" with the
following minor differences:

  +  Wapptclsh understands "package require wapp" natively, without any extra
     finagling.

  +  Wapptclsh comes with SQLite built-in.  SQLite turns out to be very handy
     for the kinds of small web applications that Wapp  is designed for.

  +  Wapptclsh builds are (by default) statically linked, so that it works inside
     chroot jails that lack all the shared libraries needed by generic "tclsh".

To reiterate: "wapptclsh" is not required to run Wapp applications.  But it is
convenient.  The developer of Wapp prefers using "wapptclsh" on his installations.

2.1 Compiling The Special Interpreter
-------------------------------------

To build wapptclsh, make a copy of either Makefile or Makefile.macos in the
top-level directory of the source tree.  Change a few settings.  (This step is
not hard as each Makefile is less than 20 lines long.)  Then run the Makefile.

Hints For Debugging Wapp Applications
=====================================

Here are some suggestions for debugging Wapp applications:

  +  If it seems like the [wapp-param](commands.md#wapp-param) command is not 
     working correctly, that might be because the same-origin policy
     is preventing query parameters from being parsed.
     Try adding the [wapp-allow-xorigin-parameters](commands.md#allow-xorigin)
     command to the top of the page generator proc, at
     least temporarily, to see if that clears the problem.

  +  If parts of your webpage do not appear to be working, that might
     be due to the restrictive default 
     [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
     that Wapp uses.  Try temporarily disabling the CSP using a command
     like <blockquote><b>wapp-content-security-policy off</b></blockquote>
     near the top of your page-generator proc.

  +  Temporarily insert the output of the 
     [wapp-debug-env](commands.md#debug-env) command in your output to see
     what is going on.  Example:
     
> > 
    wapp-trim {
      <h1>Environment</h1>
      <pre>%html([wapp-debug-env])</pre>
    }

Developing Applications Using Wapp
==================================

You can use whatever development practices you are comformable with.  But
if you want some hints for getting started, consider the following:

  1.  Compile the "wapptclsh" executable.  You do not need a separate
      interpreter to run Wapp.  A standard "tclsh" will work fine.  But
      "wapptclsh" contains the a built-in copy of "wapp.tcl" and it
      has SQLite compiled in.  We find it convenient to use.  The sequel
      will assume you have "wapptclsh" somewhere on your $PATH.

  2.  Seed your application using one of the templates scripts in
      the [examples](/file/examples) folder of this repository.  Verify
      that you can run the template and that it works.

  3.  Make a few simple changes to the code.

  4.  Run "wapptclsh yourcode.tcl" to test your changes.  Use the --trace
      option to list each HTTP request URI as it is encountered.  Use the
      --lint option to scan the application code for dodgy constructs that
      might be a security problem.

  5.  Goto 3.  Continue looping until your application does what you want.

  6.  Move the application script to your server for deployment.

During the loop between steps (3) and (5), there is no web server sitting
in between the application and your browser, which means there is no
translation or interpretation of traffic.  This can help make debugging
easier.  Also, you can add "puts" commands to the application to get
interactive debugging in the shell that ran the "wapptclsh yourcode.tcl"
command while the application is running.

<div class='fossil-doc' data-title='Wapp Documentation Index'>

<center>
<form action='$ROOT/docsrch' method='GET'>
<input type="text" name="s" size="40" autofocus>
<input type="submit" value="Search Docs">
</form>
</center>

<h1>Primary Documents</h1>
<ul>
<li><a href="$ROOT/doc/trunk/docs/intro.md">Introduction To Writing Wapp Applications</a></li>
<li><a href="$ROOT/doc/trunk/docs/quickref.md">Quick Reference</a></li>
<li><a href="$ROOT/doc/trunk/docs/params.md">Wapp Parameters</a></li>
<li><a href="$ROOT/doc/trunk/docs/commands.md">Wapp Commands</a></li>
<li><a href="$ROOT/doc/trunk/docs/urlmapping.md">URL Mapping</a></li>
<li><a href="$ROOT/doc/trunk/docs/security.md">Security Features</a></li>
<li><a href="$ROOT/doc/trunk/docs/compiling.md">How To Compile wapptclsh - Or Not</a></li>
<li><a href="$ROOT/doc/trunk/docs/limitations.md">Limitations of Wapp</a></li>
<li><a href="$ROOT/file/examples">Example Applications</a></li>
<li><a href="$ROOT/doc/trunk/docs/usageexamples.md">Real-World Uses Of Wapp</a></li>
</ul>
</div>

Downloads
=========

Complete Source Bundles
-----------------------

  *  [Tarball](/tarball/wapp.tar.gz)
  *  [ZIP Archive](/zip/wapp.zip)
  *  [SQL Archive](/sqlar/wapp.sqlar) ← [what is this?](https://sqlite.org/sqlar)

Just The wapp.tcl Script
------------------------

  *  [wapp.tcl](/file/wapp.tcl)

To Clone The Repository
-----------------------

>
     fossil clone https://wapp.tcl.tk/index.html wapp.fossil
     fossil open wapp.fossil

Hello World
===========

Here is a "Hello, World!" web application written using Wapp:

>
    #!/usr/bin/tclsh
    package require wapp
    proc wapp-default {} {
      wapp-subst {<h1>Hello, World!</h1>\n}
    }
    wapp-start $argv

To run this application using the built-in web-server, store the code above
in a file (here we use the name "hello.tcl") and do:

>
    tclsh hello.tcl

To run the application as CGI, make the hello.tcl file executable and
move it into the appropriate directory of the web server.

Further Information
-------------------

  *  [Introduction To Writing Wapp Applications](/doc/trunk/docs/intro.md)
  *  [Quick Reference](/doc/trunk/docs/quickref.md)
  *  [Wapp Parameters](/doc/trunk/docs/params.md)
  *  [Wapp Commands](/doc/trunk/docs/commands.md)
  *  [URL Mapping](/doc/trunk/docs/urlmapping.md)
  *  [Security Features](/doc/trunk/docs/security.md)
  *  [How To Compile wapptclsh - Or Not](/doc/trunk/docs/compiling.md)
  *  [Limitations of Wapp](/doc/trunk/docs/limitations.md)
  *  [Example Applications](/file/examples)
  *  [Real-World Uses Of Wapp](/doc/trunk/docs/usageexamples.md)
  *  [Debugging Hints](/doc/trunk/docs/debughints.md)

Introducing To Writing Wapp Applications
========================================

1.0 Hello World
---------------

Wapp applications are easy to develop.  A hello-world program is as follows:

>
    #!/usr/bin/wapptclsh
    package require wapp
    proc wapp-default {} {
       wapp-subst {<h1>Hello, World!</h1>\n}
    }
    wapp-start $::argv

Every Wapp application defines one or more procedures that accept HTTP
requests and generate appropriate replies.
For an HTTP request where the initial portion of the URI path is "abcde", the
procedure named "wapp-page-abcde" will be invoked to construct the reply.
If no such procedure exists, "wapp-default" is invoked instead.  The latter
technique is used for the hello-world example above.

The hello-world example generates the reply using a single call to the "wapp-subst"
command.  Each "wapp-subst" command appends new text to the reply, applying
various substitutions as it goes.  The only substitution in this example is
the \\n at the end of the line.

The "wapp-start" command starts up the application.

1.1 Running A Wapp Application
------------------------------

To run this application, copy the code above into a file named "main.tcl"
and then enter the following command:

>
    wapptclsh main.tcl

That command will start up a web-server bound to the loopback
IP address, then launch a web-browser pointing at that web-server.
The result is that the "Hello, World!" page will automatically
appear in your web browser.

To run this same program as a traditional web-server on TCP port 8080, enter:

>
    wapptclsh main.tcl --server 8080

Here the built-in web-server listens on all IP addresses and so the
web page is available on other machines.  But the web-browser is not
automatically started in this case, so you will have to manually enter
"http://localhost:8080/" into your web-browser in order to see the page.

To run this program as CGI, put the main.tcl script in your web-servers
file hierarchy, in the appropriate place for CGI scripts, and make any
other web-server specific configuration changes so that the web-server
understands that the main.tcl file is a CGI script.  Then point your
web-browser at that script.

Run the hello-world program as SCGI like this:

>
    wapptclsh main.tcl --scgi 9000

Then configure your web-server to send SCGI requests to TCP port 9000
for some specific URI, and point your web-browser at that URI.  By
default, the web-server must be on the same machine as the wapp script.
The --scgi option only accepts SCGI requests from IP address 127.0.0.1.
If your webserver is running on a different machine, use the --remote-scgi
option instead, probably with a --fromip option to specify the IP address
of the machine that is running the webserver.

1.2 Using Plain Old Tclsh
-------------------------

Wapp applications are pure TCL code.  You can run them using an ordinary
"tclsh" command if desired, instead of the "wapptclsh" shown above.  We
normally use "wapptclsh" for the following reasons:

   +  Wapptclsh is statically linked, so there is never a worry about
      having the right shared libraries on hand.  This is particularly
      important if the application will ultimately be deployed into a
      chroot jail.

   +  Wapptclsh has SQLite built-in and SQLite turns out to be very
      useful for the kinds of small applications where Wapp excels.

   +  Wapptclsh knows how to process "package require wapp".  If you
      run with ordinary tclsh, you might need to change the 
      "package require wapp" into "source wapp.tcl" and ship the separate
      "wapp.tcl" script together with your application.

We prefer to use wapptclsh and wapptclsh is shown in all of the examples.
But ordinary "tclsh" will work in the examples too.

2.0 Longer Examples
-------------------

Wapp keeps track of various [parameters](params.md) that describe
each HTTP request.  Those parameters are accessible using routines
like "wapp-param _NAME_"
The following sample program gives some examples:

>
    package require wapp
    proc wapp-default {} {
      set B [wapp-param BASE_URL]
      wapp-trim {
        <h1>Hello, World!</h1>
        <p>See the <a href='%html($B)/env'>Wapp
        Environment</a></p>
      }
    }
    proc wapp-page-env {} {
      wapp-allow-xorigin-params
      wapp-subst {<h1>Wapp Environment</h1>\n<pre>\n}
      foreach var [lsort [wapp-param-list]] {
        if {[string index $var 0]=="."} continue
        wapp-subst {%html($var) = %html([list [wapp-param $var]])\n}
      }
      wapp-subst {</pre>\n}
    }
    wapp-start $argv

In this application, the default "Hello, World!" page has been extended
with a hyperlink to the /env page.  The "wapp-subst" command has been
replaced by "wapp-trim", which works the same way with the addition that
it removes surplus whitespace from the left margin, so that the generated
HTML text does not come out indented.  The "wapp-trim" and "wapp-subst"
commands in this example use "%html(...)" substitutions.  The "..." argument 
is expanded using the usual TCL rules, but then the result is escaped so
that it is safe to include in an HTML document.  Other supported
substitutions are "%url(...)" for
URLs on the href= and src= attributes of HTML entities, "%qp(...)" for
query parameters, "%string(...)" for string literals within javascript,
and "%unsafe(...)" for direct literal substitution.  As its name implies,
the %unsafe() substitution should be avoided whenever possible.

The /env page is implemented by the "wapp-page-env" proc.  This proc
generates HTML that describes all of the query parameters. Parameter names
that begin with "." are for internal use by Wapp and are skipped
for this display.  Notice the use of "wapp-subst" to safely escape text
for inclusion in an HTML document.

The printing of all the parameters as is done by the /env page turns
out to be so useful that there is a special "wapp-debug-env" command
to render the text for us.  Using "wapp-debug-env", the program
above can be simplified to the following:

>
    package require wapp
    proc wapp-default {} {
      set B [wapp-param BASE_URL]
      wapp-trim {
        <h1>Hello, World!</h1>
        <p>See the <a href='%html($B)/env'>Wapp
        Environment</a></p>
      }
    }
    proc wapp-page-env {} {
      wapp-allow-xorigin-params
      wapp-trim {
        <h1>Wapp Environment</h1>\n<pre>
        <pre>%html([wapp-debug-env])</pre>
      }
    }
    wapp-start $argv

Many Wapp applications contain an /env page for debugging and
trouble-shooting purpose.  Examples:
<https://sqlite.org/src/ext/checklist/top/env> and
<https://sqlite.org/search?env=1>


2.1 Binary Resources
--------------------

Here is another variation on the same "hello, world" program that adds an
image to the main page:

>
    package require wapp
    proc wapp-default {} {
      set B [wapp-param BASE_URL]
      wapp-trim {
        <h1>Hello, World!</h1>
        <p>See the <a href='%html($B)/env'>Wapp
        Environment</a></p>
        <p>Broccoli: <img src='broccoli.gif'></p>
      }
    }
    proc wapp-page-env {} {
      wapp-allow-xorigin-params
      wapp-trim {
        <h1>Wapp Environment</h1>\n<pre>
        <pre>%html([wapp-debug-env])</pre>
      }
    }
    proc wapp-page-broccoli.gif {} {
      wapp-mimetype image/gif
      wapp-cache-control max-age=3600
      wapp-unsafe [binary decode base64 {
        R0lGODlhIAAgAPMAAAAAAAAiAAAzMwBEAABVAABmMwCZMzPMM2bMM5nMM5nMmZn/
        mczMmcz/mQAAAAAAACH5BAEAAA4ALAAAAAAgACAAAAT+0MlJXbmF1M35VUcojNJI
        dh5YKEbRmqthAABaFaFsKG4hxJhCzSbBxXSGgYD1wQw7mENLd1FOMa3nZhUauFoY
        K/YioEEP4WB1pB4NtJMMgTCoe3NWg2lfh68SCSEHP2hkYD4yPgJ9FFwGUkiHij87
        ZF5vjQmPO4kuOZCIPYsFmEUgkIlJOVcXAS8DSVoxB0xgA6hqAZaksiCpPThghwO6
        i0kBvb9BU8KkASPHfrXAF4VqSgAGAbpwDgRSaqQXrLwDCF5CG9/hpJKkb17n6RwA
        18To7whJX0k2NHYjtgXoAwCWPgMM+hEBIFDguDrjZCBIOICIg4J27Lg4aGCBPn0/
        FS1itJdNX4OPChditGOmpIGTMkJavEjDzASXMFPO7IAT5M6FBvQtiPnTX9CjdYqi
        cFlgoNKlLbbJfLqh5pAIADs=
      }]
    }
    wapp-start $argv

This application is the same as the previous except that it adds the
"broccoli.gif" image on the main "Hello, World" page.  The image file is
a separate resource, which is provided by the new "wapp-page-broccoli.gif"
proc.  The image is a GIF which has been encoded using base64 so that
it can be put into an text TCL script.  The "[binary decode base64 ...]"
command is used to convert the image back into binary before returning
it.

Other resources might be added using procs like "wapp-page-style.css"
or "wapp-page-script.js".

3.0 General Structure Of A Wapp Application
-------------------------------------------

Wapp applications all follow the same basic template:

>
    package require wapp;
    proc wapp-page-XXXXX {} {
      # code to generate page XXXXX
    }
    proc wapp-page-YYYYY {} {
      # code to generate page YYYYY
    }
    proc wapp-default {} {
      # code to generate any page not otherwise
      # covered by wapp-page-* procs
    }
    wapp-start $argv

The application script first loads the Wapp code itself using
the "package require" at the top.  (Some applications may choose
to substitute "source wapp.tcl" to accomplish the same thing.)
Next the application defines various procs that will generate the
replies to HTTP requests.  Different procs are invoked based on the
first element of the URI past the Wapp script name.  Finally,
the "wapp-start" routine is called to start Wapp running.  The
"wapp-start" routine never returns (or in the case of CGI, it only
returns after the HTTP request has been completely processed), 
so it should be the very last command in the application script.

3.1 Wapp Applications As Model-View-Controller
----------------------------------------------

If you are accustomed to thinking of web applications using the
Model-View-Controller (MVC) design pattern, Wapp supports that
point of view.  A basic template for an MVC Wapp application
is like this:

>
    package require wapp;
    # procs to implement the model go here
    proc wapp-page-XXXXX {} {
      # code to implement controller for XXXXX
      # code to implement view for XXXXX
    }
    proc wapp-page-YYYYY {} {
      # code to implement controller for YYYYY
      # code to implement view for YYYYY
    }
    proc wapp-default {} {
      # code to implement controller for all other pages
      # code to implement view for all other pages
    }
    wapp-start $argv

The controller and view portions of each page need not be coded
together into the same proc.  They can each be sub-procs that
are invoked from the main proc, if separating the functions make
code clearer.

So Wapp does support MVC, but without a lot of complex
machinary and syntax.

Wapp Limitations
================

The current Wapp implementation has the following limitations:

  1.   The actual page generation step is single threaded.  Multiple
       connections can be incoming and multiple replies can be in-flight
       at the same time.  But the generation of each reply happens all
       at once.
       <p>
       This limitation can be worked around by deploying the Wapp application
       using CGI, such that each HTTP request is handled by a separate
       process.

Wapp Parameters
===============

The purpose of a Wapp invocation is to answer an HTTP request.
That HTTP request is described by various "parameters".

Each parameter has a key and a value.

The Wapp application retrieves the value for the parameter with
key _NAME_ using a call to [wapp-param _NAME_].
If there is no parameter with the key _NAME_, then the wapp-param
function returns an empty string.
Or, if wapp-param is given a second argument, the value of the second 
argument is returned if there exists no parameter with a key of _NAME_.

1.0 Parameter Types
-------------------

Each request has four different kinds or sources of parameters:

  1.  **CGI Parameters**  
      Parameters with upper-case names contain information about the
      HTTP request as it was received by the web server.  Examples of
      CGI parameters are CONTENT\_LENGTH which is the number of bytes
      of content in the HTTP request, REMOTE\_ADDR which holds the IP
      address from which the HTTP request originated, REQUEST\_URI which
      is the path component of the URL that caused the HTTP request,
      and many others.  Many of the CGI Parameters have names that
      are the same as the traditional environment variables used to
      pass information into CGI programs - hence the name "CGI Parameters".
      However, with Wapp these values are not necessarily environment
      variables and they all exist regardless of whether the application
      is run using CGI, via SCGI, or using the built-in web server.

  2.  **Cookies**  
      If the HTTP request contained cookies, Wapp automatically decodes
      the cookies into new Wapp parameters.
      Only cookies that have lower-case names are decoded.  This
      prevents a cookie name from colliding with a CGI parameter.
      Cookies that have uppercase letters in their name are silently
      ignored.

  3.  **Query Parameters**  
      Query parameters are the key/value arguments that follow the "?"
      in the URL of the HTTP request.  Wapp automatically decodes the
      key/value pairs and makes a new Wapp parameter for each one.
      <p>
      Only query parameter that have lower-case names are decoded.  This
      prevents a query parameter from overriding or impersonating a
      CGI parameter.  Query parameter with upper-case letters in their
      name are silently ignored.  Furthermore, query parameters are only
      decoded if the HTTP request uses the same origin as the application,
      or if the "wapp-allow-xorigin-params" has been run to signal Wapp
      that cross-origin query parameters are allowed.

  4.  **POST Parameters**  
      POST parameters are the application/x-www-form-urlencoded key/value
      pairs in the content of a POST request that typically originate from
      forms.  POST parameters are treated exactly like query parameters in
      that they are decoded to form new Wapp parameters as long as they
      have all lower-case keys and as long as either the HTTP request comes
      from the same origin or the "wapp-allow-xorigin-params" command has
      been run.
      
All Wapp parameters are held in a single namespace.  There is no way to
distinguish a cookie from a query parameter from a POST parameter.  CGI
parameters can be distinguished from the others by having all upper-case
names.

1.1 Parameter Examples
----------------------

To better understand how parameters work in Wapp, run the 
"[env.tcl](/file/examples/env.tcl)" sample application in the
[examples](/file/examples) folder of the source repository.  Like this:

>   
     wapptclsh examples/env.tcl

The command above should cause a web page to pop up in your web browser.
That page will look something like this:

>**Wapp Environment**
>
    BASE_URL = http://127.0.0.1:33999
    DOCUMENT_ROOT = /home/drh/wapp/examples
    HTTP_ACCEPT_ENCODING = {gzip, deflate}
    HTTP_COOKIE = {env-cookie=simple}
    HTTP_HOST = 127.0.0.1:33999
    HTTP_USER_AGENT = {Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0}
    PATH_HEAD = {}
    PATH_INFO = {}
    PATH_TAIL = {}
    QUERY_STRING = {}
    REMOTE_ADDR = 127.0.0.1
    REMOTE_PORT = 53060
    REQUEST_METHOD = GET
    REQUEST_URI = /
    SAME_ORIGIN = 0
    SCRIPT_FILENAME = /home/drh/wapp/examples/env.tcl
    SCRIPT_NAME = {}
    SELF_URL = http://127.0.0.1:33999/
    WAPP_MODE = local
    env-cookie = simple
    [pwd] = /home/drh/wapp

Try this.  Then modify the URL by adding new path elements and query
parameters to see how this affects the Wapp parameters.
Notice in particular how query parameters are decoded and added to the
set of Wapp parameters.

2.0 Security By Default
-----------------------

Parameter values in the original HTTP request may be encoded in various
ways.  Wapp decodes parameter values before returning them to the
application.  Application developers never see the encoded values.
There is never an opportunity to miss a decoding step.

For security reasons, Query and POST parameters are only added to the
Wapp parameter set if the inbound request is from the "same origin" or
if the special "wapp-allow-xorigin-params" interface is called.
An inbound request is from the same origin if it is in response to
clicking on a hyperlink or form on a page that was generated by the
same website.
Manually typing in a URL does not constitute the "same origin".  Hence,
in the "env.tcl" example above the "wapp-allow-xorigin-params" interface
is used so that you can manually extend the URL to add new query parameters.

If query parameters can have side effects, then you should omit the
wapp-allow-xorigin-params call.  The wapp-allow-xorigin-params command
is safe for read-only web pages.  Do not invoke wapp-allow-xorigin-params
on pages where the parameters can be used to change server state.

<a name='cgidetail'></a>
3.0 CGI Parameter Details [(Quick reference)](quickref.md#cgiparams)
-------------------------

The CGI parameters in Wapp describe the HTTP request that is to be answered
and the execution environment.
These parameter look like CGI environment variables.  To prevent environment
information from overlapping and overwriting query parameters, all the
environment information uses upper-case names and all query parameters
are required to be lower case.  If an input URL contains an upper-case
query parameter (or POST parameter or cookie), that parameter is silently
omitted.

  +  **CONTENT\_TYPE**  
     The mimetype of the POST data.  Usually this is
     application/x-www-form-urlencoded.
     This parameter is omitted for non-POST requests.

  +  **DOCUMENT\_ROOT**  
     For CGI or SCGI, this parameter is the name a directory on the server
     that is the root of the static content tree.  When running a Wapp script
     using the built-in web server, this is the name of the directory that
     contains the script.

  +  **HTTP\_COOKIE**  
     The values of all cookies in the HTTP header.
     This parameter is omitted if there are no cookies.

     "https://" and without the HTTP\_HOST.  This variable is the same as
     the concatenation of $SCRIPT\_NAME and $PATH\_INFO if $QUERY\_STRING
     is blank, or $SCRIPT\NAME/$PATH\_INFO?$QUERY\_STRING if $QUERY\_STRING
     is non-empty.  $REQUEST\_URI is the second field of the first line of
     the HTTP request.

  +  **SCRIPT\_FILENAME**  
     The full pathname on the server for the Wapp script.  This parameter
     is usually undefined for SCGI.

  +  **SCRIPT\_NAME**  
     In CGI mode, this is the name of the CGI script in the URL.  In other
     words, this is the initial part of the URL path that identifies the
     CGI script.  When using the built-in webserver, the value of this
     parameter is an empty string.  For SCGI, this parameter is normally
     undefined.


All of the above are standard CGI environment values.
The following are supplemental environment parameters are added by Wapp:


  +  **BASE\_URL**  
     The text of the request URL through the SCRIPT\_NAME.  This value can
     be prepended to hyperlinks to ensure that the correct page is reached by
     those hyperlinks.

  +  **CONTENT**  
     The raw POST data text.

  +  **PATH\_HEAD**  
     The first element in the PATH\_INFO.  The value of PATH\_HEAD is used to
     select one of the "wapp-page-XXXXX" commands to run in order to generate
     the output web page.

  +  **PATH\_TAIL**  
     All of PATH\_INFO that follows PATH\_HEAD.

  +  **SAME\_ORIGIN**  
     This value is either "1" or "0" depending on whether the current HTTP
     request is a follow-on to another request from this same website or not.
     Query parameters and POST parameters are usually only decoded and added
     to Wapp's parameter list if SAME\_ORIGIN is 1.  If a webpage implemented
     by Wapp needs access to query parameters for a cross-origin request, then
     it should invoke the "wapp-allow-xorigin-params" interface to explicitly
     signal that cross-origin parameters are safe for that page.

  +  **SELF\_URL**  
     The URL for the current page, stripped of query parameter. This is
     useful for filling in the action= attribute of forms.

  +  **SERVER\_ADDR**  
     In SCGI mode only, this variable is the address of the webserver from which
     the SCGI request originates.

  +  **WAPP\_MODE**  
     This parameter has a value of "cgi", "local", "scgi", or "server" depending
     on how Wapp was launched.


### 3.1 URL Parsing Example

For the input URL "http://example.com/cgi-bin/script/method/extra/path?q1=5"
and for a CGI script named "script" in the /cgi-bin/ directory, 
the following CGI environment values are generated:

  +  **HTTP\_HOST** → "example.com:80"
  +  **SCRIPT\_NAME** → "/cgi-bin/script"
  +  **PATH\_INFO** → "/method/extra/path"
  +  **REQUEST\_URI** → "/cgi-bin/script/method/extra/path"
  +  **QUERY\_STRING** → "q1=5"
  +  **BASE\_URL** → "http://example.com/cgi-bin/script"
  +  **SELF\_URL** → "http://example.com/cgi-bin/script/method"
  +  **PATH\_HEAD** → "method"
  +  **PATH\_TAIL** → "extra/path"

The first five elements of the example above, HTTP\_HOST through
QUERY\_STRING, are standard CGI.  The final four elements are Wapp
extensions.  The following is the same information show in a diagram:

>
                                    REQUEST_URI
                       __________________|_________________
                      /                                    \
    http://example.com/cgi-bin/script/method/extra/path?q1=5

Wapp Quick Reference
====================

1.0 Application Template
------------------------

>
    package require wapp
    proc wapp-page-XXXXX {} {
      wapp-trim {
        # Content to deliver for page XXXXX
      }
    }
    proc wapp-default {} {
      wapp-trim {
        # Content for all other pages
      }
    }
    wapp-start $argv
         

2.0 Interfaces
--------------

>
|**wapp-start** $argv|→|Starts up the Wapp application|
|**wapp-subst** {_TEXT_}|→|Append _TEXT_ to the output with substitution|
|**wapp-trim** {_TEXT_}|→|Like **wapp-subst** but also removes left-margin whitespace|
|**wapp-param** _NAME_ _DEFAULT_|→|Return value of parameter _NAME_|
|**wapp-set-param** _NAME_ _VALUE_|→|Set parameter _NAME_ to _VALUE_|
|**wapp-param-exists** _NAME_|→|True if parameter _NAME_ exists|
|**wapp-param-list** _GLOB_|→|Return parameter names matching _GLOB_|
|**wapp-allow-xorigin-params**|→|Allow GET and POST parameters for cross-origin requests|
|**wapp-mimetype** _MIMETYPE_|→|Set the reply mimetype|
|**wapp-reply-code** _CODE_|→|Set the HTTP reply code|
|**wapp-redirect** _TARGET_|→|Redirect to _TARGET_|
|**wapp-reset**|→|Reset the output back to an empty string|
|**wapp-set-cookie** _NAME_ _VALUE_|→|Set cookie _NAME_ to have _VALUE_|
|**wapp-clear-cookie** _NAME_|→|Delete cookie _NAME_|
|**wapp-cache-control** _CONTROL_|→|Set caching behavior of current page|
|**wapp-content-security-policy** _POLICY_|→|Set the CSP for the current page|
|**wapp-debug-env**|→|Return a text description of the Wapp environment|
|**wapp** {_TEXT_}|→|Append _TEXT_ without substitution|
|**wapp-unsafe** _TEXT_|→|Append _TEXT_ that contains nothing that needs to be escaped|


<a name="cgiparams"></a>
3.0 CGI Parameters [(More detail)](params.md#cgidetail)
------------------

>
|BASE\_URL|&rarr;|URL for the Wapp script without a method|
|CONTENT|&rarr;|Raw (unparsed) POST content|
|CONTENT\_LENGTH|&rarr;|Number of bytes of raw, unparsed POST content|
|CONTENT\_TYPE|&rarr;|Mimetype of the POST content|
|DOCUMENT\_ROOT|&rarr;|Directory that is the root of the webserver content tree|
|HTTP\_COOKIE|&rarr;|Raw, unparsed cookies|
|HTTP\_HOST|&rarr;|Hostname to which this request was sent|
|HTTP\_USER\_AGENT|&rarr;|Name of client program that sent current request|
|HTTPS|&rarr;|Exists and has value "on" if the request is TLS encrypted|
|PATH\_HEAD|&rarr;|First element of PATH\_INFO. Determines request handler|
|PATH\_INFO|&rarr;|URL path beyond the application script name|
|PATH\_TAIL|&rarr;|Part of PATH\_INFO beyond PATH\_HEAD|
|REMOTE\_ADDR|&rarr;|IP address of the client|
|REMOTE\_PORT|&rarr;|TCP port of the client|
|REQUEST\_METHOD|&rarr;|"GET" or "POST" or "HEAD"|
|SAME\_ORIGIN|&rarr;|True if this request is from the same origin|
|SCRIPT\_FILENAME|&rarr;|Full pathname of the Wapp application script|
|SCRIPT\_NAME|&rarr;|Prefix of PATH\_INFO that identifies the application script|
|SELF\_URL|&rarr;|URL of this request without PATH\_TAIL|
|SERVER\_ADDR|&rarr;|IP address of the webserver sending an SCGI request|
|WAPP\_MODE|&rarr;|One of "cgi", "scgi", "remote-scgi", "server", or "local"|

4.0 URL Parsing
---------------

Assuming "env.tcl" is the name of the Wapp application script:

>
    https://wapp.tcl.tk/demo/env.tcl/abc/def/ghi?a=5&b=22.425#point42
            \_________/\___________/\__________/ \__________/
                 |           |          |             |
             HTTP_HOST  SCRIPT_NAME  PATH_INFO    QUERY_STRING

Security Considerations
=======================

Wapp strives for security by default.  Applications can disable security
features on an as-needed basis, but the default setting for security
features is always "on".

Security features in Wapp include:

  1.  The default
      [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
      ("CSP")
      for all Wapp applications is _default-src 'self'_.  In that mode,
      resources must all be loaded from the same origin, the use of
      eval() and similar commands in javascript is prohibited, and
      no in-line javascript or CSS is allowed.  These limitations help
      keep applications safe from 
      [XSS attacks](https://en.wikipedia.org/wiki/Cross-site_scripting),
      even in the face of application coding errors. If these
      restrictions are too severe for an application, the CSP can be
      relaxed or disabled using the 
      "[wapp-content-security-policy](commands.md#csp)" command.

  2.  Access to GET query parameters and POST parameters is prohibited
      unless the origin of the request is the application itself, as
      determined by the Referrer field in the HTTP header. This feature
      helps to prevent
      [Cross-site Request Forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery)
      attacks. The 
      "[wapp-allow-xorigin-params](commands.md#allow-xorigin)" command 
      can be used to disable this protection on a case-by-case basis.

  3.  Cookies, query parameters, and POST parameters are automatically
      decoded before they reach application code. There is no risk
      that the application program will forget a decoding step or
      accidently miscode a decoding operation.

  4.  Cookies, query parameters, and POST parameters are silently discarded
      unless their names begin with a lower-case letter and contain only
      alphanumerics, underscores, and minus-signs.  Hence, there is no risk
      that unusual parameter names can cause quoting problems or other
      vulnerabilities.

  5.  Reply text generated using the "[wapp-subst](commands.md#wapp-subst)"
      and "[wapp-trim](commands.md#wapp-trim)" commands
      automatically escapes generated text so that it is safe for inclusion
      within HTML, within a javascript or JSON string literal, as a URL,
      or as the value of a query parameter. As long as the application
      programmer is careful to always use "wapp-subst" and/or "wapp-trim"
      to generate replies, there is little risk of injection attacks.

  6.  If the application is launched on a command-line with the --lint
      option, then instead of running the application, Wapp scans the
      application code looking for constructs that are unsafe.  Unsafe
      constructs include things such as using 
      "[wapp-subst](commands.md#wapp-subst)" with an argument
      that is not contained within {...}.

  7.  The new (non-standard) SAME\_ORIGIN variable is provided. This variable
      has a value of "1" or "0" depending on whether or not the current HTTP
      request comes from the same origin. Applications can use this information
      to enhance their own security precautions by refusing to provide sensitive
      information or perform sensitive actions if SAME\_ORIGIN is not "1".

  8.  The --scgi mode only accepts SCGI requests from localhost.  This prevents
      an attacker from sending an SCGI request directly to the script and bypassing
      the webserver in the event that the site firewall is misconfigured or omitted.

  9.  Though cookies, query parameters and POST parameters are accessed using
      the same mechanism as CGI variables, the CGI variable names use a disjoint
      namespace.  (CGI variables are all upper-case and all others are lower-case.)
      Hence, it is not possible for a remote attacher to create a fake CGI variable 
      or override the value of a CGI variable.


Part of what makes Wapp easy to use is that it helps free application
developers from the worry of accidently introducing security vulnerabilities
via programming errors.  Of course, no framework is fool-proof.  Developers
still must be aware of security.  Wapp does not prevent every error, but
it does help make writing a secure application easier and less stressful.

Inserting Generated Text Into A Document
========================================

The [wapp-subst](./commands.md#wapp-subst) and 
[wapp-trim](./commands.md#wapp-trim) commands accept various substitution
functions so that generated content can be inserted into the webpage
<i>safely</i>. "Safely" in this context means that characters
having special meaning to HTML or Javascript are escaped.

<center>
<table border="0">

In these cases, the regular expression terminates at the first ")%" that
it sees, rather than the first ")".  The ")%" character sequence is
is less likely to appear as TCL in the argument and hence these routines
provide added flexibility for complex TCL expressions.

## Examples

Consider this simple Wapp program:

>
    package require wapp
    proc wapp-default {} {
      set var1 {Hello <y'all>}
      wapp-subst {<p>%html($var1)</p>}
    }

URL Mapping In Wapp
===================

1.0 Anatomy Of A URL
--------------------

A Uniform Resource Locator (URL) is divided into parts as follows:

>
    https://wapp.tcl.tk/demo/env.tcl/abc/def/ghi?a=5&b=22.425#point42
    \___/   \_________/\_______________________/ \__________/ \_____/
      |          |              |                     |          |
    scheme   authority        path                  query      fragment


Assuming that /demo/env.tcl is the script that implements the application,
traditional CGI and SCGI provide the following breakdown:

>
    https://wapp.tcl.tk/demo/env.tcl/abc/def/ghi?a=5&b=22.425#point42
            \_________/\___________/\__________/ \__________/
                 |           |          |             |
             HTTP_HOST  SCRIPT_NAME  PATH_INFO   QUERY_STRING

Wapp provides additional variables not found in traditional CGI:

>
                SELF_URL
     ______________|___________________
    /                                  \
    https://wapp.tcl.tk/demo/env.tcl/abc/def/ghi?a=5&b=22.425#point42
    \______________________________/ \_/ \_____/
                   |                  |     |
                BASE_URL         PATH_HEAD  '-- PATH_TAIL     


2.0 URL Mapping
---------------

The URL Mapper is the function that determines which routine in the
application should handle an HTTP request based on the URL.  In Wapp,
the default URL Mapper simply looks at PATH\_HEAD and invokes the
application-defined proc name "wapp-page-$PATH\_HEAD".  If no such
proc exists, then Wapp invokes the application-defined proc "wapp-default".

2.1 Customizing The URL Mapper
------------------------------

Just prior to dispatch of the HTTP request handler, Wapp invokes a
proc named "wapp-before-dispatch-hook".  This proc is normally a no-op.
But, applications can redefine the "wapp-before-dispatch-hook" proc to
make modifications to the environment prior to dispatch.  So, for example,
a custom wapp-before-dispatch-hook function can change the value of
the PATH\_HEAD parameter to cause a different request handler to be invoked.

The [checklist](https://sqlite.org/checklistapp) application does this.
See [these lines](https://sqlite.org/checklistapp/artifact/8f94882fa0?ln=715-744)
for the implementation.  If the original PATH\_HEAD is really the name of
a checklist database, then that name is moved to a new parameter called
OBJECT, and PATH\_HEAD is shifted to be the next element of PATH\_TAIL.
In this way, the PATH\_INFO for checklist is parsed into OBJECT/METHOD
rather than just a METHOD.

This is but one example.  Applications can make creative use of
the "wapp-before-dispatch-hook" to make whatever changes are appropriate
for the task at hand.

Web Applications Using Wapp
===========================

The following are some of the known uses of Wapp in the wild:

  1.  The [checklist](https://sqlite.org/checklists) application used to
      manage testing and release of SQLite is a Wapp script.
      Source code for the checklist
      application is at <https://sqlite.org/checklistapp>.

  2.  The [search feature](https://sqlite.org/search?q=fts5) on the SQLite
      homepage is implemented using a Wapp-script, seen
      [here](https://sqlite.org/docsrc/file/search/search.tcl.in).
      (NB: The search.tcl.in script is processed using
      [mkscript.tcl](https://sqlite.org/docsrc/file/search/mkscript.tcl)
      prior to being deployed.)

  3.  The [TCL-driven tests for SQLite](https://www.sqlite.org/testing.html#test_harnesses)
      have a Wapp-based interface that shows the testing progress.  To see
      this interface in action, get a copy of the SQLite source tree and
      run:

>
      configure
      make testfixture
      tclsh test/wapptest.tcl

if {$mode!="hex" && $mode!="base64"} {
  puts stderr "Usage: $argv0 (hex|base64) FILENAME"
  exit
}
set filename [lindex $argv 1]
set fd [open $filename rb]
set x [binary encode $mode [read $fd]]
puts "  wapp-unsafe \[binary decode $mode \173"
set n [string length $x]
for {set i 0} {$i<$n} {incr i 64} {
  puts "    [string range $x $i [expr {$i+63}]]"
}
puts "  \175\]"

#!/usr/bin/wapptclsh
#
# This script demonstrates the use of the wapp-before-reply-hook interface.
#
# The wapp-before-reply-hook is a TCL proc that runs just before the reply
# to an HTTP request is generated.  It has the opportunity to review the
# HTTP reply to ensure that no sensitive information is present in the
# reply, due to accidents or bugs in the code.  It can modify the reply
# or generate an error.
#
# Most applications omit the wapp-before-reply-hook in which case it is
# a no-op.
#
# This demo is the "self.tcl" demo, with a wapp-before-reply-hook added
# that changes all instances of the string "before-reply" into "XXXXXXXXXXXX".
#
package require wapp
proc wapp-before-reply-hook {} {
  global wapp
  dict set wapp .reply \
    [string map {before-reply XXXXXXXXXXXX} [dict get $wapp .reply]]
}
proc common-header {} {
  wapp-trim {
    <html>
    <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <link href="%url([wapp-param SCRIPT_NAME]/style.css)" rel="stylesheet">
    <title>Wapp Self-Display Demo</title>
    </head>
    <body>
  }
}
proc common-footer {} {
  wapp-trim {
    </body>
    </html>
  }
}
proc wapp-default {} {
  wapp-cache-control max-age=3600
  common-header
  wapp-trim {
    <h1>Wapp Self-Display Demo</h1>
    <p>(Strings "&#98;efore-reply" changed into "XXXXXXXXXXXX".)</p>
    <ul>
    <li> <a href='%url([wapp-param SCRIPT_NAME])/self'>Show the script
    that generates this page</a>
    <li> <a href='%url([wapp-param SCRIPT_NAME])/env'>Wapp Environment</a>
    </ul>
  }
  common-footer
}
proc wapp-page-env {} {
  wapp-allow-xorigin-params
  common-header
  wapp-trim {
    <h1>Wapp Environment</h1>
    <pre>%html([wapp-debug-env])</pre>
  }
  common-footer
}
proc wapp-page-self {} {
  wapp-cache-control max-age=3600
  common-header
  set fd [open [wapp-param SCRIPT_FILENAME] rb]
  set script [read $fd]
  close $fd
  wapp-trim {
    <h1>Wapp Script That Shows A Copy Of Itself</h1>
    <pre>%html($script)</pre>
  }
  common-footer
}
proc wapp-page-style.css {} {
  wapp-mimetype text/css
  wapp-cache-control max-age=3600
  wapp-trim {
    pre {
       border: 1px solid black;
       padding: 1ex;
    }
  }
}
wapp-start $argv

# This Wapp script records all inbound HTTP requests.  A description
# of each request is stored in -SCRIPT-log.txt where SCRIPT is the base
# name of this script.
#
package require wapp
proc wapp-default {} {
  wapp-allow-xorigin-params
  set msg "------------ New request ---------\n"
  foreach var [lsort [wapp-param-list]] {
    append msg "$var [list [wapp-param $var]]\n"
  }
  set dnam [wapp-param SCRIPT_FILENAME]
  set logfile [file dir $dnam]
  append logfile /-
  append logfile [file root [file tail $dnam]]-log.txt
  set out [open $logfile a]
  puts $out $msg
  close $out
  wapp-trim {<p>Ok</p>}
}
wapp-start $argv

# This script is a template used for testing.
#
# After making modifications to this script to test out bits of HTML
# (or not - the script works fine as it is), invoke the script using
#
#   wapptclsh env.tcl
#
# All web pages show the Wapp execution environment, which includes
# CGI-line environment variables, decoded query and POST parameters, and 
# decoded cookies.
#
package require wapp
proc wapp-default {} {
  wapp-allow-xorigin-params
  wapp-trim {
    <h1>Wapp Environment</h1>
    <pre>%html([wapp-debug-env])</pre>
  }
}
wapp-start $argv

#!/usr/bin/wapptclsh
#
# This script demonstrates how Wapp to return resources (such as
# an image) held in separate files or in a separate SQLite database.
#
package require wapp

# Common header and footer.
proc common-header {} {
  wapp-trim {
    <html>
    <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <link href="%url([wapp-param SCRIPT_NAME]/style.css)" rel="stylesheet">
    <title>Wapp External Content Demo</title>
    </head>
    <body>
  }
}
proc common-footer {} {
  wapp-trim {
    </body>
    </html>
  }
}

# The style sheet
proc wapp-page-style.css {} {
  wapp-mimetype text/css
  wapp-cache-control max-age=3600
  wapp-trim {
    pre {
       border: 1px solid black;
       padding: 1ex;
    }
  }
}

# This is the default page
proc wapp-default {} {
  common-header
  wapp-trim {
    <h1>External Content Demo</h1>
    <p>This demo shows how Wapp can return resources (such as images)
    that are loaded from separate files on disk, or from a separate
    database.  This demo shows two images:

    <p><img src="image1"><br>"plume1"
    <p><img src="image2"><br>"plume2"

    <p>Both images are the same PNG file.  The first image is loaded
    from a separate file on disk.  The second image is loaded form
    an SQLite database.

    <p>Click <a href="self">here</a> to see the complete Wapp script
    that generates this application.
  }
}

# The /self page that returns HTML that displays a copy of this script itself
proc wapp-page-self {} {
  wapp-cache-control max-age=3600
  common-header
  set fd [open [wapp-param SCRIPT_FILENAME] rb]
  set script [read $fd]
  close $fd
  wapp-trim {
    <h1>Text Of The External Content Demo Script</h1>
    <pre>%html($script)</pre>
  }
  common-footer
}

# The /image1 image, read from a separate file named "plume.png"
# found in the same directory as this script.
#
proc wapp-page-image1 {} {
  wapp-mimetype image/png
  set filename [file dir [wapp-param SCRIPT_FILENAME]]/plume.png
  set fd [open $filename rb]
  wapp [read $fd]
  close $fd
}

# The /image2 image, read from an SQLite database named "plume.db"
# found in the same directory as this script.
#
proc wapp-page-image2 {} {
  set dbname [file dir [wapp-param SCRIPT_FILENAME]]/plume.db
  sqlite3 db $dbname
  db eval {SELECT data, mimetype FROM image LIMIT 1} break
  wapp-mimetype $mimetype
  wapp $data
  db close
}

# Start Wapp running
wapp-start $argv

#!/usr/bin/wapptclsh
#
# Show all files in the same directory as the script.
#
package require wapp
proc wapp-page-env {} {
  wapp-allow-xorigin-params
  wapp-trim {
    <h1>Wapp Environment</h1>
    <pre>%html([wapp-debug-env])</pre>
  }
}
proc wapp-default {} {
  cd [file dir [wapp-param SCRIPT_FILENAME {}]]
  regsub {/[^/]+$} [wapp-param BASE_URL] {} base
  wapp-trim {
     <html>
     <body>
     <ol>
  }
  foreach file [lsort [glob -nocomplain *]] {
    if {[file isdir $file]} continue
    if {![file readable $file]} continue
    wapp-trim {
       <li><a href="%html($base/$file)">%html($file)</a></li>
    }
  }
  wapp-trim {</ol>\n}
}
wapp-start $argv

#!/usr/bin/wapptclsh
#
# This script demonstrates a Wapp application that can accept a file
# upload using <input type="file">
#
package require wapp
proc common-header {} {
  wapp-trim {
    <html>
    <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <link href="%url([wapp-param SCRIPT_NAME]/style.css)" rel="stylesheet">
    <title>Wapp File-Upload Demo</title>
    </head>
    <body>
  }
}
proc common-footer {} {
  wapp-trim {
    </body>
    </html>
  }
}
proc wapp-default {} {
  wapp-content-security-policy {default-src 'self'; img-src 'self' data:}
  common-header
  wapp-trim {
    <h1>Wapp File-Upload Demo</h1>
  }
  # NB:  You must set enctype="multipart/form-data" on your <form> in order
  # for file upload to work.
  wapp-trim {
    <p><form method="POST" enctype="multipart/form-data">
    File To Upload: <input type="file" name="file"><br>
    <input type="checkbox" name="showenv" value="1">Show CGI Environment<br>
    <input type="hidden" name="PARAM1"
     value="Post parameter with non-lowercase names are suppressed">
    <input type="hidden" name="param2.value"
     value="Post parameters with non-lowercase names are suppressed">
    <input type="submit" value="Submit">
    </form></p>
    <p><a href='%html([wapp-param SCRIPT_NAME])/self'>Show the script
    that generates this page</a></p>
  }
  # Ordinary query parameters come through just like normal
  if {[wapp-param showenv 0]} {
    wapp-trim {
      <h1>Wapp Environment</h1>
      <pre>%html([wapp-debug-env])</pre>
    }
  }
  # File upload query parameters come in three parts:  The *.mimetype,
  # the *.filename, and the *.content.
  set mimetype [wapp-param file.mimetype {}]
  set filename [wapp-param file.filename {}]
  set content [wapp-param file.content {}]
  if {$filename!=""} {
    wapp-trim {
      <h1>Uploaded File Content</h1>
      <p>Filename: %html($filename)<br>
      MIME-Type: %html($mimetype)<br>
    }
    if {[string match image/* $mimetype]} {
      # If the mimetype is an image, display the image using an
      # in-line <img> mark.  Note that the content-security-policy
      # must be changed to allow "data:" for type img-src in order
      # for this to work.
      set b64 [binary encode base64 $content]
      wapp-trim {
        Content:</p>
        <blockquote>
        <img src='data:%html($mimetype);base64,%html($b64)'>
        </blockquote>
      }
    } else {
      # Anything other than image, just show it as text.
      wapp-trim {
        Content:</p>
        <blockquote><pre>
        %html($content)
        </pre></blockquote>
      }
    }
  }
  common-footer
}
proc wapp-page-self {} {
  wapp-cache-control max-age=3600
  common-header
  set fd [open [wapp-param SCRIPT_FILENAME] rb]
  set script [read $fd]
  close $fd
  wapp-trim {
    <h1>Wapp Script That Shows A Copy Of Itself</h1>
    <pre>%html($script)</pre>
  }
  common-footer
}
proc wapp-page-style.css {} {
  wapp-mimetype text/css
  wapp-cache-control max-age=3600
  wapp-trim {
    pre {
       border: 1px solid black;
       padding: 1ex;
    }
  }
}
wapp-start $argv

# This script demonstrates how to send form data from the client browser
# back up to the server using an XMLHttpRequest with JSON content.
#
package require wapp

# The default page paints a form to be submitted.
# The default content-security-policy of Wapp restricts the use
# of in-line javascript, so the script content must be returned by
# a separate resource.
#
proc wapp-default {} {
  wapp-trim {
    <h1>Example Of Sending Form Data As JSON Using AJAX</h1>
    <form id="nameForm">
    <table border="0">
    <tr><td align="right"><label for="firstName">First name:</label>&nbsp;</td>
        <td><input type="text" id="firstName" width="20">
    <tr><td align="right"><label for="lastName">Last name:</label>&nbsp;</td>
        <td><input type="text" id="lastName" width="20">
    <tr><td align="right"><label for="age">Age:</label>&nbsp;</td>
        <td><input type="text" id="age" width="6">
    <tr><td><td><input type="submit" value="Send">
    </table>
    </form>
    <script src='%url([wapp-param SCRIPT_NAME]/script.js)'></script>
  }
}

# This is the javascript that takes control of the form and causes form
# submissions to be send using XMLHttpRequest with JSON content
#
proc wapp-page-script.js {} {
  wapp-mimetype text/javascript
  wapp-cache-control max-age=3600
  wapp-trim {
    document.getElementById("nameForm").onsubmit = function(){
      function val(id){ return document.getElementById(id).value }
      var jx = {
         "firstname":val("firstName"),
         "lastname": val("lastName"),
         "age": val("age")
      }
      var xhttp = new XMLHttpRequest();
      xhttp.open("POST", "%string([wapp-param SCRIPT_NAME])/acceptjson", true);
      xhttp.setRequestHeader("Content-Type","text/json");
      xhttp.send(JSON.stringify(jx));
      return false
    }
  }
}

# This page accepts a form submission and prints it on standard output.
# A real server would do something useful with the data.
#
proc wapp-page-acceptjson {} {
  puts "Accept Json Called"
  puts "mimetype: [list [wapp-param CONTENT_TYPE]]"
  puts "content: [list [wapp-param CONTENT]]"
}
wapp-start $argv

# This script demonstrates how to send form data from the client browser
# back up to the server using an XMLHttpRequest with 
# application/x-www-form-urlencoded content.
#
package require wapp

# The default page paints a form to be submitted.
# The default content-security-policy of Wapp restricts the use
# of in-line javascript, so the script content must be returned by
# a separate resource.
#
proc wapp-default {} {
  wapp-trim {
    <h1>Example Of Sending application/x-www-form-urlencoded Using AJAX</h1>
    <form id="nameForm">
    <table border="0">
    <tr><td align="right"><label for="firstName">First name:</label>&nbsp;</td>
        <td><input type="text" id="firstName" width="20">
    <tr><td align="right"><label for="lastName">Last name:</label>&nbsp;</td>
        <td><input type="text" id="lastName" width="20">
    <tr><td align="right"><label for="age">Age:</label>&nbsp;</td>
        <td><input type="text" id="age" width="6">
    <tr><td><td><input type="submit" value="Send">
    </table>
    </form>
    <script src='%url([wapp-param SCRIPT_NAME]/script.js)'></script>
  }
}

# This is the javascript that takes control of the form and causes form
# submissions to be send using XMLHttpRequest with urlencoded content.
#
proc wapp-page-script.js {} {
  wapp-mimetype text/javascript
  wapp-cache-control max-age=3600
  wapp-trim {
    document.getElementById("nameForm").onsubmit = function(){
      function val(id){
        return encodeURIComponent(document.getElementById(id).value)
      }
      var jx = "firstname="+val("firstName")+
               "&lastname="+val("lastName")+
               "&age="+val("age");
      var xhttp = new XMLHttpRequest();
      xhttp.open("POST", "%string([wapp-param SCRIPT_NAME])/acceptajax", true);
      xhttp.setRequestHeader("Content-Type",
                             "application/x-www-form-urlencoded");
      xhttp.send(jx);
      return false
    }
  }
}

# This page accepts a form submission and prints it on standard output.
# A real server would do something useful with the data.
#
proc wapp-page-acceptajax {} {
  puts "Accept Callback"
  puts "mimetype: [list [wapp-param CONTENT_TYPE]]"
  puts "content: [list [wapp-param CONTENT]]"
  foreach var [lsort [wapp-param-list]] {
    if {![regexp {^[a-z]} $var]} continue
    puts "$var = [list [wapp-param $var]]"
  }
}
wapp-start $argv

# This application demonstrates responsive CSS design principles using
# the media-query mechanism.  To run this app:
#
#      wapptclsh mediaquery.tcl --server 8080
#
# Then connect various devices to see how their display changes according
# to the viewport size.  Or resize the browser window.  Or twist the
# handheld device between landscape and portrait modes.
#
# The foreground and background colors change according to the viewport size
# of the device.  In a real application, the CSS would be extended to make
# other changes according to the viewport size.
#
source wapp.tcl
proc wapp-default {} {
  wapp-content-security-policy {default_src 'self' 'unsafe-inline'}
  set top [wapp-param SCRIPT_NAME]
  wapp-trim {
    <!DOCTYPE html>
    <html>
    <head>
    <meta name="viewport" content="width=device-width,initial-scale=1.0">
    <link href="%url($top/style.css)" rel="stylesheet">
    </head>
    <body>

    }
    window.onresize = setwidth;
    setwidth();
    </script>
    </html>
  }
}
proc wapp-page-style.css {} {
  wapp-mimetype text/css
  wapp-cache-control max-age=3600
  wapp-trim {
    @media screen and (max-width: 600px) {
      /* Smallest devices, small phones.  Less than 600px */
      .media-bg {background:red;color:white;}
    }
    @media screen and (min-width: 600px) {
      /* Large phones and tablets in portrait mode.  600px and up */
      .media-bg {background:orange;color:black;}

    }
    @media screen and (min-width: 1200px) {
      /* wide-screen desktops.  1200px and up */
      .media-bg {background:blue;color:white;}
    }
  }
}
wapp-start $argv

#!/usr/bin/wapptclsh
#
# This script demonstrates a Wapp application that can display a copy
# of itself via the /self page.  (See the wapp-page-self procedure for
# how that one page is generated.)
#
# This script also has a homepage and an /env page that show the wapp
# environment.  The header and footer for each page are broken out into
# separate subroutines.
#
# Just for grins, there is also a style-sheet and some cache-control
# lines to show how those things work.
#
package require wapp
proc common-header {} {
  wapp-trim {
    <html>
    <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <link href="%url([wapp-param SCRIPT_NAME]/style.css)" rel="stylesheet">
    <title>Wapp Self-Display Demo</title>
    </head>
    <body>
  }
}
proc common-footer {} {
  wapp-trim {
    </body>
    </html>
  }
}
proc wapp-default {} {
  wapp-cache-control max-age=3600
  common-header
  wapp-trim {
    <h1>Wapp Self-Display Demo</h1>
    <ul>
    <li> <a href='%url([wapp-param SCRIPT_NAME])/self'>Show the script
    that generates this page</a>
    <li> <a href='%url([wapp-param SCRIPT_NAME])/env'>Wapp Environment</a>
    </ul>
  }
  common-footer
}
proc wapp-page-env {} {
  common-header
  wapp-trim {
    <h1>Wapp Environment</h1>
    <pre>%html([wapp-debug-env])</pre>
  }
  common-footer
}
proc wapp-page-self {} {
  wapp-cache-control max-age=3600
  common-header
  set fd [open [wapp-param SCRIPT_FILENAME] rb]
  set script [read $fd]
  close $fd
  wapp-trim {
    <h1>Wapp Script That Shows A Copy Of Itself</h1>
    <pre>%html($script)</pre>
  }
  common-footer
}
proc wapp-page-style.css {} {
  wapp-mimetype text/css
  wapp-cache-control max-age=3600
  wapp-trim {
    pre {
       border: 1px solid black;
       padding: 1ex;
    }
  }
}
wapp-start $argv

#!/usr/bin/wapptclsh
#
# This script demonstrates a Wapp application that can display a copy
# of itself using a font color selected by a query parameter.
#
# The foreground color is whatever value is given by the color= query
# parameter.  The color is inserted into a style= attribute on the
# <pre> element using the %url(...) substitution mechanism of Wapp,
# so it is safe from XSS injections.  Try it!  You won't be able to
# slip in any unwanted HTML, but you can use %23 to get a # for
# an RGB color, like this:
#
#              ?color=%23003f7f
#
# Notice that the "wapp-content-security-policy" command had to be used
# to enable in-line CSS.  In-line CSS is off by default.
#
# Also notice that the "wapp-allow-xorigin-params" command had to be used
# to enable users to manually add new color= query parameters.
#
package require wapp
proc wapp-default {} {
  wapp-content-security-policy {default-src 'self' 'unsafe-inline'}
  wapp-allow-xorigin-params
  set fd [open [wapp-param SCRIPT_FILENAME] rb]
  set script [read $fd]
  close $fd
  set self [wapp-param SELF_URL]
  wapp-trim {
    <html>
    <head>
    <link href="%url([wapp-param SCRIPT_NAME]/style.css)" rel="stylesheet">
    <title>Wapp Self-Display Demo</title>
    </head>
    <body>
    <p>The box below shows the Wapp script that generated this page.
    Change the foreground color using the color= query parameter.
    Examples:</p>
    <ul>
    <li><a href='%url($self?color=red)'>%html($self?color=red)</a>
    <li><a href='%url($self?color=green)'>%html($self?color=green)</a>
    <li><a href='%url($self?color=blue)'>%html($self?color=blue)</a>
    <li><a href='%url($self)?color=%23003f7f'>%html($self?color=%23003f7f)</a>
    </ul>
    </p>
    <pre style='color: %url([wapp-param color black]);'>%html($script)</pre>
  }
}
proc wapp-page-style.css {} {
  wapp-mimetype text/css
  wapp-cache-control max-age=3600
  wapp-trim {
    pre {
       border: 1px solid black;
       padding: 1ex;
    }
  }
}
wapp-start $argv

#!/usr/bin/wapptclsh
#
# This script implements a simple shopping list.  To install:
#
#    (1) Create the database using:
#
#        CREATE TABLE shoplist(id INTEGER PRIMARY KEY AUTOINCREMENT,
#                              x TEXT UNIQUE COLLATE nocase);
#        CREATE TABLE done(delid INTEGER PRIMARY KEY AUTOINCREMENT,
#                          id INTEGER, x TEXT COLLATE nocase);
#        CREATE TABLE config(name TEXT PRIMARY KEY, value ANY) WITHOUT ROWID;
#        INSERT INTO config VALUES('password',<Your-Password-Here>);
#
#    (2) Edit this script to put the full pathname of the database as the
#        DBFILE variable
#
#    (3) Make this script a CGI on your server.  Or run it in some other
#        way that Wapp supports.
#
set DBFILE /shoppinglist.db  ;# Change to name of the database.

# Every page should call this routine first, and abort if this
# routine returns non-zero.
#
# This routine outputs the page header and opens the database file.
# It checks the login cookie.  If the user is not logged in, this routine
# paints the login screen and returns 1 (causing the caller page to abort).
# 
proc shopping-list-header {} {
  set top [wapp-param SCRIPT_NAME]
  wapp-trim {
    <html>
    <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <link href="%url($top/style.css)" rel="stylesheet">
    <link rel="icon" type="image/gif" href="%url($top/favicon.ico)">
    <title>Grocery List</title>
    </head><body>
    <h1>Grocery List</h1>
  }
  sqlite3 db $::DBFILE
  db timeout 1000
  db eval BEGIN
  if {[wapp-param-exists logout]} {
    wapp-clear-cookie shopping-list-login
    set pswd {}
  } else {
    set pswd [wapp-param pswd [wapp-param shopping-list-login]]
  }
  if {$pswd=="" 
    || ![db exists {SELECT 1 FROM config WHERE name='password' AND value=$pswd}]
  } {
    wapp-trim {
      <p><form method="POST" action="%url([wapp-param SELF_URL])">
      Password: <input type="password" name="pswd" width=12>
      <input type="submit" value="Login"></form></p>
    }
    db eval COMMIT
    db close
    return 1
  }
  if {[wapp-param-exists pswd]} {
    wapp-set-cookie shopping-list-login $pswd
  }
  return 0
}

# Every page should call this routine at the end to clean up the database
# connection.
#

#                 but only if there is no existing item with the
#                 same name
#    undel=ID     Undo a prior delete of item ID.
# Only one of the above edit operations may be applied per request.
# The edit action is applied prior to displaying the shopping list.
# All edit actions are idempotent.
#
proc wapp-default {} {
  if {[shopping-list-header]} return
  set base [wapp-param SCRIPT_NAME]
  if {[wapp-param-exists del]} {
    set id [expr {[wapp-param del]+0}]
    db eval {
       INSERT INTO done(id,x) SELECT id, x FROM shoplist WHERE id=$id;
       DELETE FROM shoplist WHERE id=$id;
    }
  } elseif {[wapp-param-exists add]} {
    set add [wapp-param add]
    db eval {INSERT OR IGNORE INTO shoplist(x) VALUES($add)}
  } elseif {[wapp-param-exists undel]} {
    set undelid [expr {[wapp-param undel]+0}]
    db eval {
      INSERT OR IGNORE INTO shoplist(id,x)
           SELECT id, x FROM done WHERE delid=$undelid;
      DELETE FROM done WHERE delid=$undelid;
    }
  }
  set cnt 0
  db eval {SELECT id, x FROM shoplist ORDER BY x} {
    # if {$cnt} {wapp-subst {<hr>\n}}
    incr cnt
    wapp-trim {
      <p>%html($x)
      <a class="button" href="%url($base/list?del=$id)">Got It!</a>
    }
  }
  if {$cnt} {wapp-subst {<hr>\n}}
  wapp-trim {
    <p><form method="GET" action="%url($base/list)">
    <input type="text" width="20" name="add">&nbsp;&nbsp;&nbsp;
    <input class="button" type="submit" value="Add"></form>
    <p><a class="button" href="%url($base/common)">Common Purchases</a>
  }
  db eval {SELECT delid FROM done ORDER BY delid DESC limit 1} {
    wapp-trim {
      <p><a class="button" href="%url($base/list?undel=$delid)">Undelete</a>
    }
  }
  wapp-trim {
    <p><a class="button" href="%url($base/list)">Refresh</a>
    <p><a class="button" href="%url($base/edit)">Edit</a>
    <p><a class="button" href="%url($base/list?logout=1)">Logout</a>
  }
  shopping-list-footer
}

# This page shows recent purchases with an opportunity to re-add those
# purchases to the shopping list.  The idea is that to have easy access
# to common purchases.
#
proc wapp-page-common {} {
  if {[shopping-list-header]} return
  set base [wapp-param SCRIPT_NAME]
  wapp-subst {<p><a class="button" href="%url($base/list)">Go Back</a>}
  db eval {SELECT x FROM
             (SELECT DISTINCT x FROM done ORDER BY delid DESC LIMIT 30)
           ORDER BY x} {
    wapp-trim {
      <p>%html($x)
      <a class="button" href="%url($base/list?add=)%qp($x)">Add</a><br>
    }
  }
  shopping-list-footer
}

# provide forms to edit all current entries.
#
proc wapp-page-edit {} {
  if {[shopping-list-header]} return
  set id [wapp-param id]
  set x [wapp-param x]
  if {[string is int -strict $id] && $x!=""} {
    db eval {
      UPDATE shoplist SET x=$x WHERE id=$id;
    }
    wapp-redirect list
    shopping-list-footer
    return
  }
  db eval {SELECT id, x FROM shoplist ORDER BY x} {
    wapp-trim {
      <p><form method="POST">
      <input type="hidden" name="id" value="%html($id)">
      <input type="text" width="20" name="x" value="%html($x)">&nbsp;&nbsp;
      &nbsp;<input type="submit" value="Change"></form></p>
    }
  }
  wapp-subst {<p><a class="button" href="list">Cancel</a>\n}
  shopping-list-footer
}

# The /env page shows the CGI environment.  This is for testing only.
# There are no links to this page.
#
proc wapp-page-env {} {
  if {[shopping-list-header]} return
  wapp-trim {
    <html>
    <h1>CGI Environment</h1>
    <pre>%html([wapp-debug-env])</pre>
  }
  shopping-list-footer
}

# The style-sheet
#
proc wapp-page-style.css {} {
  wapp-mimetype text/css
  wapp-cache-control max-age=3600
  wapp-trim {
     .button {
      font-size: 80%;
      text-decoration: none;
      padding: 2px 6px 2px 6px;
      border: 1px solid black;
      border-radius: 8px;
      background-color: #ddd;
    }
  }
}

# The application icon is a gif image of a head of broccoli.
#
proc wapp-page-favicon.ico {} {
  wapp-mimetype image/gif
  wapp-cache-control max-age=3600
  wapp-unsafe [binary decode hex {
    47494638396120002000f300000000000022000033330044000055000066330
    0993333cc3366cc3399cc3399cc9999ff99cccc99ccff9900000000000021f9
    040100000e002c00000000200020000004fed0c9495db985d4cdf95547288cd
    248761e582846d19aab6100005a15a16c286e21c49842cd26c1c574868180f5
    c10c3b98434b77514e31ade766151ab85a182bf622a0410fe16075a41e0db49
    30c8130a87b735683695f87af120921073f6864603e323e027d145c06524887
    8a3f3b645e6f8d098f3b892e3990883d8b05984520908949395717012f03495
    a31074c6003a86a0196a4b220a93d38608703ba8b4901bdbf4153c2a40123c7
    7eb5c017856a4a000601ba700e04526aa417acbc03085e421bdfe1a492a46f5
    ee7e91c00d7c4e8ef08495f4936347623b605e80300963e030cfa11012050e0
    b83ae3642048388088838276ecb8386860813e7d3f152d62b4974d5f838f0a1
    762b463a6a4819332425abc48c3cc04973053ceec8013e4ce8506f42d88f9d3
    5fd0a3758aa2705960a0d2a52db6c97cbaa1e69008003b
  }]
}

# After all pages handling routines have been defined, start up
# the Wapp handler.
#
wapp-start $argv

#!/usr/bin/wapptclsh
# This script demonstrates how to receive bulk HTML content
# (such as a complete <table>) and insert it in the middle
# of the DOM using XMLHttpRequest
#
package require wapp
proc common-header {} {
  wapp-trim {
    <html>
    <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <link href="%url([wapp-param SCRIPT_NAME]/style.css)" rel="stylesheet">
    <body>
  }
}
proc common-footer {} {
  wapp-trim {
    </body>
    </html>
  }
}

proc wapp-default {} {
  common-header
  wapp-trim {
    <p>This application demonstrates how to use XMLHttpResult to obtain
    bulk HTML text (such as a large &lt;table&gt;) and then insert that
    text in the middle of the DOM.</p>

    <div id="insertionPoint"></div>

    <p><form id="theForm">
    Click the button 
    <input type="submit" id="theButton" value="Click Here">
    to cause content to be inserted above this paragraph and below
    the initial paragraph
    </form></p>
    <script src='%url([wapp-param SCRIPT_NAME]/script.js)'></script>

    <p><a href='%html([wapp-param SCRIPT_NAME])/self'>Show the Wapp script
    that generates this page</a></p>
  }
  common-footer
}

# This is the javascript that takes control of the form and causes form
# submissions to fetch and insert HTML text.
#
proc wapp-page-script.js {} {
  wapp-mimetype text/javascript
  wapp-cache-control max-age=3600
  wapp-trim {
    document.getElementById("theForm").onsubmit = function(){
      var xhttp = new XMLHttpRequest();
      xhttp.open("GET", "%string([wapp-param BASE_URL])/gettable", true);
      xhttp.onreadystatechange = function(){
        if(this.readyState!=4)return
        document.getElementById("insertionPoint").innerHTML = this.responseText;
        document.getElementById("insCancel").onclick = function(){
          document.getElementById("insertionPoint").innerHTML = null
        }
      }
      xhttp.send();
      return false
    }
  }
}

# This counter increments on each /gettable call.
set counter 0

# The /gettable page returns the content of a table to be inserted
# in the original page.
#
proc wapp-page-gettable {} {
  global counter
  incr counter
  wapp-trim {
    <table border="1">
    <tr><th>Column 1<th>Column 2<th>Column 3
    <tr><td>1.1<td>1.2<td>1.3
    <tr><td>2.1<td>2.2<td>2.3
    <tr><td>%html($counter)<td><td><button id="insCancel">Cancel</button>
    </table>
  }
}

# The /self page that shows the text of this script.
#
proc wapp-page-self {} {
  wapp-cache-control max-age=3600
  common-header
  set fd [open [wapp-param SCRIPT_FILENAME] rb]
  set script [read $fd]
  close $fd
  wapp-trim {
    <h1>Wapp Script That Shows A Copy Of Itself</h1>
    <pre>%html($script)</pre>
  }
  common-footer
}
proc wapp-page-style.css {} {
  wapp-mimetype text/css
  wapp-cache-control max-age=3600
  wapp-trim {
    pre {
       border: 1px solid black;
       padding: 1ex;
    }
  }
}

wapp-start $argv

#endif /* SQLITE_OMIT_UTF16 */

#ifndef SQLITE_OMIT_UTF16
/*
** This routine checks for a byte-order mark at the beginning of the
** UTF-16 string stored in *pMem. If one is present, it is removed and
** the encoding of the Mem adjusted. This routine does not do any
** byte-swapping, it just sets Mem.enc appropriately.
**
** The allocation (static, dynamic etc.) and encoding of the Mem may be
** changed by this function.
*/
SQLITE_PRIVATE int sqlite3VdbeMemHandleBom(Mem *pMem){
  int rc = SQLITE_OK;
  u8 bom = 0;

  int (*xRead)(const char *zClass, const char *zKey, char *zBuf, int nBuf);
  int (*xWrite)(const char *zClass, const char *zKey, const char *zData);
  int (*xDelete)(const char *zClass, const char *zKey);
  const int nKeySize;
};

/*
** This object holds the kvvfs I/O methods which may be swapped out
** for JavaScript-side implementations in WASM builds. In such builds
** it cannot be const, but in native builds it should be so that
** the compiler can hopefully optimize this level of indirection out.
** That said, kvvfs is intended primarily for use in WASM builds.
**
** Note that this is not explicitly flagged as static because the
** amalgamation build will tag it with SQLITE_PRIVATE.

      rc = btreeGetPage(pBt, iLastPg, &pLastPg, 0);
      if( rc!=SQLITE_OK ){
        return rc;
      }

      /* If bCommit is zero, this loop runs exactly once and page pLastPg
      ** is swapped with the first free page pulled off the free list.
      **
      ** On the other hand, if bCommit is greater than zero, then keep
      ** looping until a free-page located within the first nFin pages
      ** of the file is found.
      */
      if( bCommit==0 ){
        eMode = BTALLOC_LE;

**
** (2007-08-30)  Frank van Vugt has studied this problem closely
** and has send his findings to the SQLite developers.  Frank
** writes that some Linux kernels offer floating point hardware
** emulation that uses only 32-bit mantissas instead of a full
** 48-bits as required by the IEEE standard.  (This is the
** CONFIG_FPE_FASTFPE option.)  On such systems, floating point
** byte swapping becomes very complicated.  To avoid problems,
** the necessary byte swapping is carried out using a 64-bit integer
** rather than a 64-bit float.  Frank assures us that the code here
** works for him.  We, the developers, have no way to independently
** verify this, but Frank seems to know what he is talking about
** so we trust him.
*/
#ifdef SQLITE_MIXED_ENDIAN_64BIT_FLOAT
SQLITE_PRIVATE u64 sqlite3FloatSwap(u64 in){

        iUpper = a[0] + a[1];
      }

      assert( pLower==0 || (pLower->eOperator & (WO_GT|WO_GE))!=0 );
      assert( pUpper==0 || (pUpper->eOperator & (WO_LT|WO_LE))!=0 );
      assert( p->aSortOrder!=0 );
      if( p->aSortOrder[nEq] ){
        /* The roles of pLower and pUpper are swapped for a DESC index */
        SWAP(WhereTerm*, pLower, pUpper);
        SWAP(int, nBtm, nTop);
      }

      /* If possible, improve on the iLower estimate using ($P:$L). */
      if( pLower ){
        int n;                    /* Values extracted from pExpr */

    pBuilder->iPlanLimit += SQLITE_QUERY_PLANNER_LIMIT_INCR;
    pNew->maskSelf = sqlite3WhereGetMask(&pWInfo->sMaskSet, pItem->iCursor);
    if( bFirstPastRJ
     || (pItem->fg.jointype & (JT_OUTER|JT_CROSS|JT_LTORJ))!=0
    ){
      /* Add prerequisites to prevent reordering of FROM clause terms
      ** across CROSS joins and outer joins.  The bFirstPastRJ boolean
      ** prevents the right operand of a RIGHT JOIN from being swapped with
      ** other elements even further to the right.
      **
      ** The JT_LTORJ case and the hasRightJoin flag work together to
      ** prevent FROM-clause terms from moving from the right side of
      ** a LEFT JOIN over to the left side of that join if the LEFT JOIN
      ** is itself on the left side of a RIGHT JOIN.
      */

This file exists to test wapp's handling of files with
unusual filenames.

#!/usr/bin/wapptclsh
#
# Invoke as "tclsh test01.tcl" and then surf the website that pops up
# to verify the logic in wapp.
#
if {[catch {package require wapp}]} {
  source [file dir [file dir [info script]]]/wapp.tcl
}
proc wapp-default {} {
  global wapp
  set B [wapp-param BASE_URL]
  set BX(y) $B
  set R [wapp-param SCRIPT_NAME]
  wapp-cache-control max-age=15
  wapp "<h1>Hello, World!</h1>\n"
  wapp "<ol>"
  wapp-unsafe "<li><p><a href='$R/env'>Wapp Environment</a></p>\n"
  wapp-subst {<li><p><a href='env2'>Environment using wapp-debug-env</a>\n}
  wapp-subst {<li><p><a href='%url%($B)%/fullenv'>Full Environment</a>\n}
  set crazy [lsort [wapp-param-list]]
  wapp-subst {<li><p><a href='%url($B)/env?keys=%url($crazy)'>}
  wapp "Environment with crazy URL</a>\n"
  wapp-trim {
    <li><p><a href='%url($B)/lint'>Lint</a>
    <li><p><a href='%url($B)/errorout'>Deliberate error</a>
    <li><p><a href='%url($B)/encodings'>Encoding checks</a>
    <li><p><a href='%url($B)/redirect'>Redirect to env</a>
    <li><p><a href='%url($B)/globals'>TCL global variables</a>
    <li><p><a href='%url%($BX(y))%/csptest'>Content Security Policy</a>
    <li><p><a href='%url($B)/fileupload'>File Upload
    Using multipart/form-data</a>
    <li><p><a href='%url($B)/self'>The source code to this script</a>
  }
  set x "%string(...)"
  set v abc'def\"ghi\\jkl</script>
  wapp-subst {<li>%html($x) substitution test: "%string%($v)%"\n}
  wapp "</ol>"
  if {[wapp-param-exists showenv]} {
    wapp-page-env
  }
  wapp-trim {
    <p>The creator of Wapp:<br>
    <img src="%url($R/drh.jpg)">
  }
}
proc wapp-page-redirect {} {
  wapp-redirect env
}
proc wapp-page-globals {} {
  wapp-trim {
    <h1>TCL Global Variables</h1>
    <ul>
  }
  foreach vname [lsort [uplevel #0 info vars]] {
    set val ???
    catch {set val [set ::$vname]}
    set len [string length $val]
    if {$len>100} {
      wapp-subst {<li>%html($vname) = <i>... %html($len) byte string...</i>\n}
    } else {
      wapp-subst {<li>%html($vname = [list $val])</li>\n}
    }
  }
}
proc wapp-page-env2 {} {
  wapp-allow-xorigin-params
  wapp-trim {
    <h1>Wapp Environment using wapp-debug-env</h1>
    <p>This page uses wapp-allow-xorigin-params so that new
       query parameters may be added manually to the URL.</p>
    <pre>%html([wapp-debug-env])</pre>
  }
}
proc wapp-page-env {} {
  global wapp
  wapp-allow-xorigin-params
  wapp-set-cookie env-cookie simple
  wapp "<h1>Wapp Environment</h1>\n"
  wapp-unsafe "<form method='GET' action='[wapp-param SELF_URL]'>\n"
  wapp "<input type='checkbox' name='showhdr'"
  if {[wapp-param-exists showhdr]} {
    wapp " checked"
  }
  wapp "> Show Header\n"
  wapp "<input type='submit' value='Go'>\n"
  wapp "</form>"

         ($var!=".header" || ![wapp-param-exists showhdr])} continue
    wapp-subst {%html($var) = %string([list [wapp-param $var]])\n}
  }
  wapp "</pre>"
}
proc wapp-page-fullenv {} {
  wapp-set-cookie env-cookie full
  wapp "<h1>Wapp Full Environment</h1>\n"
  wapp-unsafe "<form method='POST' action='[wapp-param SELF_URL]'>\n"
  wapp "<input type='checkbox' name='var1'"
  if {[wapp-param-exists showhdr]} {
    wapp " checked"
  }
  # Deliberately unsafe calls to wapp-subst and wapp-trim, added here
  # to test wapp-safety-check

      </pre>
    }
  }
}
proc wapp-page-fileupload {} {
  wapp-content-security-policy {default_src 'self' 'inline'}
  wapp-trim {
    <h1>Wapp File Upload Form Test</h1>
    <p><form method="POST" enctype="multipart/form-data">
    <input type="file" name="f1"><br>
    <input type="file" name="f2"><br>
    <input type="file" name="f3"><br>
    <input type="submit" value="Upload Files">
    </form></p>
  }

  wapp-subst {</table>}
}
# Deliberately generate an error to test error handling.
proc wapp-page-errorout {} {
  wapp "<h1>Intentially generate an error</h1>\n"
  wapp "<p>This test should be ignored by the error handler\n"
  # The following line deliberately throws an error to test the
  # error recovering logic within Wapp
  wapp $noSuchVariable
  wapp "This is a $test of wapp-safety-check"
  wapp "This is another [test of] wapp-safety-check"
  wapp "<p>After the error\n"
}
proc wapp-page-csptest {} {
  wapp-allow-xorigin-params

#!/usr/bin/tclsh
#
# This script is for testing wapp in CGI mode using the althttpd web-server.
# This script is contained inside the "default.website" subdirectory.  Let
# $ROOT be the name of the root of this source archive - the directory that
# contains "default.website".  Then to start up althttpd for this test
# run:
#
#     althttpd -root $ROOT -port 8080
#

# but without any warranty; without even the implied warranty of
# merchantability or fitness for a particular purpose.
#
#---------------------------------------------------------------------------
#
# Design rules:
#
#   (1)  All identifiers in the global namespace begin with "wapp"
#
#   (2)  Indentifiers intended for internal use only begin with "wappInt"
#
package require Tcl 8.6

# Add text to the end of the HTTP reply.  No interpretation or transformation
# of the text is performs.  The argument should be enclosed within {...}
#
proc wapp {txt} {
  global wapp
  dict append wapp .reply $txt
}

# Add text to the page under construction.  Do no escaping on the text.
#
# Though "unsafe" in general, there are uses for this kind of thing.
# For example, if you want to return the complete, unmodified content of
# a file:
#
#         set fd [open content.html rb]
#         wapp-unsafe [read $fd]
#         close $fd
#
# You could do the same thing using ordinary "wapp" instead of "wapp-unsafe".
# The difference is that wapp-safety-check will complain about the misuse
# of "wapp", but it assumes that the person who write "wapp-unsafe" understands
# the risks.
#
# Though occasionally necessary, the use of this interface should be minimized.
#
proc wapp-unsafe {txt} {
  global wapp
  dict append wapp .reply $txt
}

# Add text to the end of the reply under construction.  The following
# substitutions are made:
#
#     %html(...)          Escape text for inclusion in HTML
#     %url(...)           Escape text for use as a URL

# In other words, use "%(...)%" instead of "(...)" to include the TCL string
# to substitute.
#
# The %unsafe substitution should be avoided whenever possible, obviously.
# In addition to the substitutions above, the text also does backslash
# escapes.
#
# The wapp-trim proc works the same as wapp-subst except that it also removes
# whitespace from the left margin, so that the generated HTML/CSS/Javascript
# does not appear to be indented when delivered to the client web browser.
#
if {$tcl_version>=8.7} {
  proc wapp-subst {txt} {
    global wapp
    regsub -all -command \
       {%(html|url|qp|string|unsafe){1,1}?(|%)\((.+)\)\2} $txt wappInt-enc txt
    dict append wapp .reply [subst -novariables -nocommand $txt]
  }
  proc wapp-trim {txt} {
    global wapp
    regsub -all {\n\s+} [string trim $txt] \n txt
    regsub -all -command \
       {%(html|url|qp|string|unsafe){1,1}?(|%)\((.+)\)\2} $txt wappInt-enc txt
    dict append wapp .reply [subst -novariables -nocommand $txt]
  }
  proc wappInt-enc {all mode nu1 txt} {
    return [uplevel 2 "wappInt-enc-$mode \"$txt\""]
  }
} else {
  proc wapp-subst {txt} {
    global wapp
    regsub -all {%(html|url|qp|string|unsafe){1,1}?(|%)\((.+)\)\2} $txt \
           {[wappInt-enc-\1 "\3"]} txt
    dict append wapp .reply [uplevel 1 [list subst -novariables $txt]]
  }
  proc wapp-trim {txt} {
    global wapp
    regsub -all {\n\s+} [string trim $txt] \n txt
    regsub -all {%(html|url|qp|string|unsafe){1,1}?(|%)\((.+)\)\2} $txt \
           {[wappInt-enc-\1 "\3"]} txt
    dict append wapp .reply [uplevel 1 [list subst -novariables $txt]]
  }
}

# There must be a wappInt-enc-NAME routine for each possible substitution
# in wapp-subst.  Thus there are routines for "html", "url", "qp", and "unsafe".
#
#    wappInt-enc-html           Escape text so that it is safe to use in the
#                               body of an HTML document.
#
#    wappInt-enc-url            Escape text so that it is safe to pass as an
#                               argument to href= and src= attributes in HTML.
#
#    wappInt-enc-qp             Escape text so that it is safe to use as the
#                               value of a query parameter in a URL or in
#                               post data or in a cookie.
#
#    wappInt-enc-string         Escape ", ', \, and < for using inside of a
#                               javascript string literal.  The < character
#                               is escaped to prevent "</script>" from causing
#                               problems in embedded javascript.
#
#    wappInt-enc-unsafe         Perform no encoding at all.  Unsafe.
#
proc wappInt-enc-html {txt} {
  return [string map {& &amp; < &lt; > &gt; \" &quot; \\ &#92;} $txt]
}
proc wappInt-enc-unsafe {txt} {
  return $txt
}
proc wappInt-enc-url {s} {
  if {[regsub -all {[^-{}\\@~?=#_.:/a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} {
    set s [subst -novar -noback $s]
  }
  if {[regsub -all {[\\{}]} $s {[wappInt-%HHchar \\&]} s]} {









    set s [subst -novar -noback $s]
  }
  return $s
}
proc wappInt-enc-qp {s} {
  if {[regsub -all {[^-{}\\_.a-zA-Z0-9]} $s {[wappInt-%HHchar {&}]} s]} {
    set s [subst -novar -noback $s]
  }
  if {[regsub -all {[\\{}]} $s {[wappInt-%HHchar \\&]} s]} {
    set s [subst -novar -noback $s]
  }
  return $s
}
proc wappInt-enc-string {s} {
  return [string map {\\ \\\\ \" \\\" ' \\' < \\u003c \n \\n \r \\r
  	     \f \\f \t \\t \x01 \\u0001 \x02 \\u0002 \x03 \\u0003
  	     \x04 \\u0004 \x05 \\u0005 \x06 \\u0006 \x07 \\u0007
  	     \x0b \\u000b \x0e \\u000e \x0f \\u000f \x10 \\u0010
  	     \x11 \\u0011 \x12 \\u0012 \x13 \\u0013 \x14 \\u0014
  	     \x15 \\u0015 \x16 \\u0016 \x17 \\u0017 \x18 \\u0018
  	     \x19 \\u0019 \x1a \\u001a \x1b \\u001b \x1c \\u001c
  	     \x1d \\u001d \x1e \\u001e \x1f \\u001f} $s]
}

# This is a helper routine for wappInt-enc-url and wappInt-enc-qp.  It returns
# an appropriate %HH encoding for the single character c.  If c is a unicode
# character, then this routine might return multiple bytes:  %HH%HH%HH
#
proc wappInt-%HHchar {c} {
  if {$c==" "} {return +}
  return [regsub -all .. [binary encode hex [encoding convertto utf-8 $c]] {%&}]
}


# Undo the www-url-encoded format.
#
# HT: This code stolen from ncgi.tcl
#
proc wappInt-decode-url {str} {
  set str [string map [list + { } "\\" "\\\\" \[ \\\[ \] \\\]] $str]
  regsub -all -- \
      {%([Ee][A-Fa-f0-9])%([89ABab][A-Fa-f0-9])%([89ABab][A-Fa-f0-9])} \
      $str {[encoding convertfrom utf-8 [binary decode hex \1\2\3]]} str
  regsub -all -- \
      {%([CDcd][A-Fa-f0-9])%([89ABab][A-Fa-f0-9])}                     \
      $str {[encoding convertfrom utf-8 [binary decode hex \1\2]]} str
  regsub -all -- {%([0-7][A-Fa-f0-9])} $str {\\u00\1} str
  return [subst -novar $str]
}

# Reset the document back to an empty string.
#
proc wapp-reset {} {
  global wapp
  dict set wapp .reply {}
}

# Change the mime-type of the result document.
#
proc wapp-mimetype {x} {
  global wapp
  dict set wapp .mimetype $x
}

# Change the reply code.
#
proc wapp-reply-code {x} {
  global wapp
  dict set wapp .reply-code $x
}

# Set a cookie
#
proc wapp-set-cookie {name value} {
  global wapp
  dict lappend wapp .new-cookies $name $value
}

# Unset a cookie
#
proc wapp-clear-cookie {name} {
  wapp-set-cookie $name {}
}

# Add extra entries to the reply header
#
proc wapp-reply-extra {name value} {
  global wapp
  dict lappend wapp .reply-extra $name $value
}

# Specifies how the web-page under construction should be cached.
# The argument should be one of:
#
#    no-cache
#    max-age=N             (for some integer number of seconds, N)
#    private,max-age=N
#
proc wapp-cache-control {x} {
  wapp-reply-extra Cache-Control $x
}

# Redirect to a different web page
#
proc wapp-redirect {uri} {
  wapp-reset
  wapp-reply-code {303 Redirect}
  wapp-reply-extra Location $uri
}

# Return the value of a wapp parameter
#
proc wapp-param {name {dflt {}}} {
  global wapp
  if {![dict exists $wapp $name]} {return $dflt}
  return [dict get $wapp $name]
}

# Return true if a and only if the wapp parameter $name exists
#
proc wapp-param-exists {name} {
  global wapp
  return [dict exists $wapp $name]
}

# Set the value of a wapp parameter
#
proc wapp-set-param {name value} {
  global wapp
  dict set wapp $name $value
}

# Return all parameter names that match the GLOB pattern, or all
# names if the GLOB pattern is omitted.
#
proc wapp-param-list {{glob {*}}} {
  global wapp
  return [dict keys $wapp $glob]
}

# By default, Wapp does not decode query parameters and POST parameters
# for cross-origin requests.  This is a security restriction, designed to
# help prevent cross-site request forgery (CSRF) attacks.
#
# As a consequence of this restriction, URLs for sites generated by Wapp
# that contain query parameters will not work as URLs found in other
# websites.  You cannot create a link from a second website into a Wapp
# website if the link contains query planner, by default.
#
# Of course, it is sometimes desirable to allow query parameters on external
# links.  For URLs for which this is safe, the application should invoke
# wapp-allow-xorigin-params.  This procedure tells Wapp that it is safe to
# go ahead and decode the query parameters even for cross-site requests.
#
# In other words, for Wapp security is the default setting.  Individual pages
# need to actively disable the cross-site request security if those pages
# are safe for cross-site access.
#
proc wapp-allow-xorigin-params {} {
  global wapp
  if {![dict exists $wapp .qp] && ![dict get $wapp SAME_ORIGIN]} {
    wappInt-decode-query-params
  }
}

# Set the content-security-policy.
#
# The default content-security-policy is very strict:  "default-src 'self'"
# The default policy prohibits the use of in-line javascript or CSS.
#
# Provide an alternative CSP as the argument.  Or use "off" to disable
# the CSP completely.
#
proc wapp-content-security-policy {val} {
  global wapp
  if {$val=="off"} {
    dict unset wapp .csp
  } else {
    dict set wapp .csp $val
  }
}

# Examine the bodys of all procedures in this program looking for
# unsafe calls to various Wapp interfaces.  Return a text string
# containing warnings. Return an empty string if all is ok.
#
# This routine is advisory only.  It misses some constructs that are
# dangerous and flags others that are safe.
#
proc wapp-safety-check {} {
  set res {}
  foreach p [info command] {
    set ln 0
    foreach x [split [info body $p] \n] {
      incr ln
      if {[regexp {^[ \t]*wapp[ \t]+([^\n]+)} $x all tail]
       && [string index $tail 0]!="\173"
       && [regexp {[[$]} $tail]
      } {
        append res "$p:$ln: unsafe \"wapp\" call: \"[string trim $x]\"\n"
      }
      if {[regexp {^[ \t]*wapp-(subst|trim)[ \t]+[^\173]} $x all cx]} {
        append res "$p:$ln: unsafe \"wapp-$cx\" call: \"[string trim $x]\"\n"
      }
    }
  }
  return $res
}

# Return a string that descripts the current environment.  Applications
# might find this useful for debugging.
#
proc wapp-debug-env {} {
  global wapp
  set out {}
  foreach var [lsort [dict keys $wapp]] {
    if {[string index $var 0]=="."} continue
    append out "$var = [list [dict get $wapp $var]]\n"
  }
  append out "\[pwd\] = [list [pwd]]\n"
  return $out
}

# Tracing function for each HTTP request.  This is overridden by wapp-start
# if tracing is enabled.
#
proc wappInt-trace {} {}

# Start up a listening socket.  Arrange to invoke wappInt-new-connection
# for each inbound HTTP connection.
#
#    port            Listen on this TCP port.  0 means to select a port
#                    that is not currently in use
#
#    wappmode        One of "scgi", "remote-scgi", "server", or "local".
#
#    fromip          If not {}, then reject all requests from IP addresses
#                    other than $fromip
#
proc wappInt-start-listener {port wappmode fromip} {
  if {[string match *scgi $wappmode]} {
    set type SCGI
    set server [list wappInt-new-connection \
                wappInt-scgi-readable $wappmode $fromip]
  } else {
    set type HTTP
    set server [list wappInt-new-connection \
                wappInt-http-readable $wappmode $fromip]
  }
  if {$wappmode=="local" || $wappmode=="scgi"} {
    set x [socket -server $server -myaddr 127.0.0.1 $port]
  } else {
    set x [socket -server $server $port]
  }
  set coninfo [chan configure $x -sockname]
  set port [lindex $coninfo 2]
  if {$wappmode=="local"} {
    wappInt-start-browser http://127.0.0.1:$port/
  } elseif {$fromip!=""} {
    puts "Listening for $type requests on TCP port $port from IP $fromip"
  } else {
    puts "Listening for $type requests on TCP port $port"
  }
}

# Start a web-browser and point it at $URL
#
proc wappInt-start-browser {url} {
  global tcl_platform
  if {$tcl_platform(platform)=="windows"} {
    exec cmd /c start $url &
  } elseif {$tcl_platform(os)=="Darwin"} {
    exec open $url &
  } elseif {[catch {exec -ignorestderr xdg-open $url}]} {
    exec firefox $url &
  }
}

# This routine is a "socket -server" callback.  The $chan, $ip, and $port
# arguments are added by the socket command.
#
# Arrange to invoke $callback when content is available on the new socket.
# The $callback will process inbound HTTP or SCGI content.  Reject the
# request if $fromip is not an empty string and does not match $ip.
#
proc wappInt-new-connection {callback wappmode fromip chan ip port} {
  upvar #0 wappInt-$chan W
  if {$fromip!="" && ![string match $fromip $ip]} {
    close $chan
    return
  }
  set W [dict create REMOTE_ADDR $ip REMOTE_PORT $port WAPP_MODE $wappmode \
         .header {}]
  fconfigure $chan -blocking 0 -translation binary
  fileevent $chan readable [list $callback $chan]
}

# Close an input channel
#
proc wappInt-close-channel {chan} {
  if {$chan=="stdout"} {
    # This happens after completing a CGI request
    exit 0
  } else {
    unset ::wappInt-$chan
    close $chan
  }
}

# Process new text received on an inbound HTTP request
#
proc wappInt-http-readable {chan} {
  if {[catch [list wappInt-http-readable-unsafe $chan] msg]} {
    puts stderr "$msg\n$::errorInfo"
    wappInt-close-channel $chan
  }
}
proc wappInt-http-readable-unsafe {chan} {
  upvar #0 wappInt-$chan W wapp wapp
  if {![dict exists $W .toread]} {
    # If the .toread key is not set, that means we are still reading
    # the header
    set line [string trimright [gets $chan]]
    set n [string length $line]
    if {$n>0} {
      if {[dict get $W .header]=="" || [regexp {^\s+} $line]} {

      if {[info exists ::argv0]} {
        set a0 [file normalize $argv0]
      } else {
        set a0 /
      }
      dict set W SCRIPT_FILENAME $a0
      dict set W DOCUMENT_ROOT [file dir $a0]
      if {[wappInt-parse-header $chan]} {
        catch {close $chan}
        return
      }
      set len 0
      if {[dict exists $W CONTENT_LENGTH]} {
        set len [dict get $W CONTENT_LENGTH]
      }
      if {$len>0} {
        # Still need to read the query content
        dict set W .toread $len
      } else {
        # There is no query content, so handle the request immediately
        set wapp $W
        wappInt-handle-request $chan
      }
    }
  } else {
    # If .toread is set, that means we are reading the query content.
    # Continue reading until .toread reaches zero.
    set got [read $chan [dict get $W .toread]]
    dict append W CONTENT $got
    dict set W .toread [expr {[dict get $W .toread]-[string length $got]}]
    if {[dict get $W .toread]<=0} {
      # Handle the request as soon as all the query content is received
      set wapp $W
      wappInt-handle-request $chan
    }
  }
}

# Decode the HTTP request header.
#
# This routine is always running inside of a [catch], so if
# any problems arise, simply raise an error.
#
proc wappInt-parse-header {chan} {
  upvar #0 wappInt-$chan W
  set hdr [split [dict get $W .header] \n]
  if {$hdr==""} {return 1}
  set req [lindex $hdr 0]
  dict set W REQUEST_METHOD [set method [lindex $req 0]]
  if {[lsearch {GET HEAD POST} $method]<0} {
    error "unsupported request method: \"[dict get $W REQUEST_METHOD]\""
  }

  }
  return 0
}

# Decode the QUERY_STRING parameters from a GET request or the
# application/x-www-form-urlencoded CONTENT from a POST request.
#
# This routine sets the ".qp" element of the ::wapp dict as a signal
# that query parameters have already been decoded.
#
proc wappInt-decode-query-params {} {
  global wapp
  dict set wapp .qp 1
  if {[dict exists $wapp QUERY_STRING]} {
    foreach qterm [split [dict get $wapp QUERY_STRING] &] {
      set qsplit [split $qterm =]
      set nm [lindex $qsplit 0]
      if {[regexp {^[a-z][a-z0-9]*$} $nm]} {
        dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]]
      }
    }
  }
  if {[dict exists $wapp CONTENT_TYPE] && [dict exists $wapp CONTENT]} {
    set ctype [dict get $wapp CONTENT_TYPE]
    if {$ctype=="application/x-www-form-urlencoded"} {
      foreach qterm [split [string trim [dict get $wapp CONTENT]] &] {
        set qsplit [split $qterm =]
        set nm [lindex $qsplit 0]
        if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} {
          dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]]
        }
      }
    } elseif {[string match multipart/form-data* $ctype]} {
      regexp {^(.*?)\r\n(.*)$} [dict get $wapp CONTENT] all divider body
      set ndiv [string length $divider]
      while {[string length $body]} {
        set idx [string first $divider $body]
        set unit [string range $body 0 [expr {$idx-3}]]
        set body [string range $body [expr {$idx+$ndiv+2}] end]
        if {[regexp {^Content-Disposition: form-data; (.*?)\r\n\r\n(.*)$} \
             $unit unit hdr content]} {
          if {[regexp {name="(.*)"; filename="(.*)"\r\nContent-Type: (.*?)$}\
                $hdr hr name filename mimetype]
              && [regexp {^[a-z][a-z0-9]*$} $name]} {
            dict set wapp $name.filename \
              [string map [list \\\" \" \\\\ \\] $filename]
            dict set wapp $name.mimetype $mimetype
            dict set wapp $name.content $content
          } elseif {[regexp {name="(.*)"} $hdr hr name]
                    && [regexp {^[a-z][a-z0-9]*$} $name]} {
            dict set wapp $name $content
          }
        }
      }
    }
  }
}

# Invoke application-supplied methods to generate a reply to
# a single HTTP request.
#
# This routine uses the global variable ::wapp and so must not be nested.
# It must run to completion before the next instance runs.  If a recursive
# instances of this routine starts while another is running, the the
# recursive instance is added to a queue to be invoked after the current
# instance finishes.  Yes, this means that WAPP IS SINGLE THREADED.  Only
# a single page rendering instance my be running at a time.  There can
# be multiple HTTP requests inbound at once, but only one my be processed
# at a time once the request is full read and parsed.
#
set wappIntPending {}
set wappIntLock 0
proc wappInt-handle-request {chan} {
  global wappIntPending wappIntLock
  fileevent $chan readable {}
  if {$wappIntLock} {
    # Another instance of request is already running, so defer this one
    lappend wappIntPending [list wappInt-handle-request $chan]
    return
  }
  set wappIntLock 1
  catch [list wappInt-handle-request-unsafe $chan]
  set wappIntLock 0
  if {[llength $wappIntPending]>0} {
    # If there are deferred requests, then launch the oldest one
    after idle [lindex $wappIntPending 0]
    set wappIntPending [lrange $wappIntPending 1 end]
  }
}
proc wappInt-handle-request-unsafe {chan} {
  global wapp
  dict set wapp .reply {}
  dict set wapp .mimetype {text/html; charset=utf-8}
  dict set wapp .reply-code {200 Ok}
  dict set wapp .csp {default-src 'self'}

  # Set up additional CGI environment values
  #
  if {![dict exists $wapp HTTP_HOST]} {
    dict set wapp BASE_URL {}
  } elseif {[dict exists $wapp HTTPS]} {
    dict set wapp BASE_URL https://[dict get $wapp HTTP_HOST]
  } else {
    dict set wapp BASE_URL http://[dict get $wapp HTTP_HOST]
  }
  if {![dict exists $wapp REQUEST_URI]} {
    dict set wapp REQUEST_URI /
  }
  if {[dict exists $wapp SCRIPT_NAME]} {
    dict append wapp BASE_URL [dict get $wapp SCRIPT_NAME]
  } else {
    dict set wapp SCRIPT_NAME {}
  }
  if {![dict exists $wapp PATH_INFO]} {
    # If PATH_INFO is missing (ex: nginx) then construct it
    set URI [dict get $wapp REQUEST_URI]
    regsub {\?.*} $URI {} URI
    set skip [string length [dict get $wapp SCRIPT_NAME]]
    dict set wapp PATH_INFO [string range $URI $skip end]
  }
  if {[regexp {^/([^/]+)(.*)$} [dict get $wapp PATH_INFO] all head tail]} {
    dict set wapp PATH_HEAD $head
    dict set wapp PATH_TAIL [string trimleft $tail /]
  } else {
    dict set wapp PATH_INFO {}
    dict set wapp PATH_HEAD {}
    dict set wapp PATH_TAIL {}
  }
  dict set wapp SELF_URL [dict get $wapp BASE_URL]/[dict get $wapp PATH_HEAD]

  # Parse query parameters from the query string, the cookies, and
  # POST data
  #
  if {[dict exists $wapp HTTP_COOKIE]} {
    foreach qterm [split [dict get $wapp HTTP_COOKIE] {;}] {
      set qsplit [split [string trim $qterm] =]
      set nm [lindex $qsplit 0]
      if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} {
        dict set wapp $nm [wappInt-decode-url [lindex $qsplit 1]]
      }
    }
  }
  set same_origin 0
  if {[dict exists $wapp HTTP_REFERER]} {
    set referer [dict get $wapp HTTP_REFERER]
    set base [dict get $wapp BASE_URL]
    if {$referer==$base || [string match $base/* $referer]} {
      set same_origin 1
    }
  }
  dict set wapp SAME_ORIGIN $same_origin
  if {$same_origin} {
    wappInt-decode-query-params
  }

  # Invoke the application-defined handler procedure for this page
  # request.  If an error occurs while running that procedure, generate
  # an HTTP reply that contains the error message.
  #
  wapp-before-dispatch-hook
  wappInt-trace
  set mname [dict get $wapp PATH_HEAD]
  if {[catch {
    if {$mname!="" && [llength [info command wapp-page-$mname]]>0} {
      wapp-page-$mname
    } else {
      wapp-default
    }
  } msg]} {
    if {[wapp-param WAPP_MODE]=="local" || [wapp-param WAPP_MODE]=="server"} {
      puts "ERROR: $::errorInfo"
    }
    wapp-reset
    wapp-reply-code "500 Internal Server Error"
    wapp-mimetype text/html
    wapp-trim {
      <h1>Wapp Application Error</h1>
      <pre>%html($::errorInfo)</pre>
    }
    dict unset wapp .new-cookies
  }
  wapp-before-reply-hook

  # Transmit the HTTP reply
  #
  set rc [dict get $wapp .reply-code]
  if {$rc=="ABORT"} {
    # If the page handler invokes "wapp-reply-code ABORT" then close the
    # TCP/IP connection without sending any reply
    wappInt-close-channel $chan
    return
  } elseif {$chan=="stdout"} {
    puts $chan "Status: $rc\r"
  } else {
    puts $chan "HTTP/1.1 $rc\r"
    puts $chan "Server: wapp\r"
    puts $chan "Connection: close\r"
  }
  if {[dict exists $wapp .reply-extra]} {
    foreach {name value} [dict get $wapp .reply-extra] {
      puts $chan "$name: $value\r"
    }
  }
  if {[dict exists $wapp .csp]} {
    puts $chan "Content-Security-Policy: [dict get $wapp .csp]\r"
  }
  set mimetype [dict get $wapp .mimetype]
  puts $chan "Content-Type: $mimetype\r"
  if {[dict exists $wapp .new-cookies]} {
    foreach {nm val} [dict get $wapp .new-cookies] {
      if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} {
        if {$val==""} {
          puts $chan "Set-Cookie: $nm=; HttpOnly; Path=/; Max-Age=1\r"
        } else {
          set val [wappInt-enc-url $val]
          puts $chan "Set-Cookie: $nm=$val; HttpOnly; Path=/\r"
        }
      }
    }
  }
  if {[string match text/* $mimetype]} {
    set reply [encoding convertto utf-8 [dict get $wapp .reply]]
    if {[regexp {\ygzip\y} [wapp-param HTTP_ACCEPT_ENCODING]]} {
      catch {wappInt-gzip-reply reply chan}
    }
  } else {
    set reply [dict get $wapp .reply]
  }
  puts $chan "Content-Length: [string length $reply]\r"
  puts $chan \r
  puts -nonewline $chan $reply
  flush $chan
  wappInt-close-channel $chan
}

# Compress the reply content
#
proc wappInt-gzip-reply {replyVar chanVar} {
  upvar $replyVar reply $chanVar chan
  set x [zlib gzip $reply]
  set reply $x
  puts $chan "Content-Encoding: gzip\r"
}

# This routine runs just prior to request-handler dispatch.  The
# default implementation is a no-op, but applications can override
# to do additional transformations or checks.
#
proc wapp-before-dispatch-hook {} {return}

# This routine runs after the request-handler dispatch and just
# before the reply is generated.  The default implementation is
# a no-op, but applications can override to do validation and security
# checks on the reply, such as verifying that no sensitive information
# such as an API key or password is accidentally included in the
# reply text.
#
proc wapp-before-reply-hook {} {return}

# Process a single CGI request
#
proc wappInt-handle-cgi-request {} {
  global wapp env
  foreach key [array names env {[A-Z]*}] {dict set wapp $key $env($key)}
  set len 0
  if {[dict exists $wapp CONTENT_LENGTH]} {
    set len [dict get $wapp CONTENT_LENGTH]
  }
  if {$len>0} {
    fconfigure stdin -translation binary
    dict set wapp CONTENT [read stdin $len]
  }
  dict set wapp WAPP_MODE cgi
  fconfigure stdout -translation binary
  wappInt-handle-request-unsafe stdout
}

# Process new text received on an inbound SCGI request
#
proc wappInt-scgi-readable {chan} {
  if {[catch [list wappInt-scgi-readable-unsafe $chan] msg]} {
    puts stderr "$msg\n$::errorInfo"
    wappInt-close-channel $chan
  }
}
proc wappInt-scgi-readable-unsafe {chan} {
  upvar #0 wappInt-$chan W wapp wapp
  if {![dict exists $W .toread]} {
    # If the .toread key is not set, that means we are still reading
    # the header.
    #
    # An SGI header is short.  This implementation assumes the entire
    # header is available all at once.
    #

    }
    if {$len>0} {
      # Still need to read the query content
      dict set W .toread $len
    } else {
      # There is no query content, so handle the request immediately
      dict set W SERVER_ADDR [dict get $W .remove_addr]
      set wapp $W
      wappInt-handle-request $chan
    }
  } else {
    # If .toread is set, that means we are reading the query content.
    # Continue reading until .toread reaches zero.
    set got [read $chan [dict get $W .toread]]
    dict append W CONTENT $got
    dict set W .toread [expr {[dict get $W .toread]-[string length $got]}]
    if {[dict get $W .toread]<=0} {
      # Handle the request as soon as all the query content is received
      dict set W SERVER_ADDR [dict get $W .remove_addr]
      set wapp $W
      wappInt-handle-request $chan
    }
  }
}

# Start up the wapp framework.  Parameters are a list passed as the
# single argument.
#
#    -server $PORT         Listen for HTTP requests on this TCP port $PORT
#
#    -local $PORT          Listen for HTTP requests on 127.0.0.1:$PORT
#
#    -scgi $PORT           Listen for SCGI requests on 127.0.0.1:$PORT

#                         after all event handlers are established.
#
#    -trace               "puts" each request URL as it is handled, for
#                         debugging
#
#    -debug               Disable content compression
#
#    -lint                Run wapp-safety-check on the application instead
#                         of running the application itself
#
#    -Dvar=value          Set TCL global variable "var" to "value"
#
#
proc wapp-start {arglist} {
  global env
  set mode auto
  set port 0
  set nowait 0
  set fromip {}
  set n [llength $arglist]
  for {set i 0} {$i<$n} {incr i} {

        incr i
        set fromip [lindex $arglist $i]
      }
      -nowait {
        set nowait 1
      }
      -debug {
        proc wappInt-gzip-reply {a b} {return}
      }
      -trace {
        proc wappInt-trace {} {
          set q [wapp-param QUERY_STRING]
          set uri [wapp-param BASE_URL][wapp-param PATH_INFO]
          if {$q!=""} {append uri ?$q}
          puts $uri
        }
      }
      -lint {
        set res [wapp-safety-check]
        if {$res!=""} {
          puts "Potential problems in this code:"
          puts $res
          exit 1
        } else {
          exit
        }

        && [string match CGI/1.* $env(GATEWAY_INTERFACE)]} {
      set mode cgi
    } else {
      set mode local
    }
  }
  if {$mode=="cgi"} {
    wappInt-handle-cgi-request
  } else {
    wappInt-start-listener $port $mode $fromip
    if {!$nowait} {
      vwait ::forever
    }
  }
}

# Call this version 1.0
package provide wapp 1.0

/*
** A TCLSH that reads itself as its initialization script.  This is
** intended for use as CGI.  The CGI script should look like:
**
**      #/usr/bin/cgitclsh
**      #
**      proc wapp-default {} {
**        wapp "<h1>Hello, World!</h1>\n"
**      }
**      wapp-default -cgi
**
*/
#define SQLITE_THREADSAFE 0
#undef SQLITE_ENABLE_COLUMN_METADATA
#define SQLITE_OMIT_DECLTYPE 1
#define SQLITE_OMIT_DEPRECATED 1
#define SQLITE_OMIT_PROGRESS_CALLBACK 1
#define SQLITE_OMIT_SHARED_CACHE 1
#define SQLITE_DEFAULT_MEMSTATUS 0
#define SQLITE_MAX_EXPR_DEPTH 0
#define SQLITE_OMIT_LOAD_EXTENSION 1
#define SQLITE_ENABLE_FTS4 1
#define SQLITE_ENABLE_FTS5 1
#define SQLITE_ENABLE_RTREE 1
#define SQLITE_ENABLE_JSON1 1
#define TCLSH_INIT_PROC wapptclsh_init_proc
INCLUDE tclsqlite3.c

/* The wapp.tcl script contains the useful web-application interface
** procedures.  After loading this script, "package require wapp" becomes
** a no-op
*/
static const char zWapp[] = 
BEGIN_STRING
INCLUDE $ROOT/wapp.tcl
END_STRING
;

/* This script runs to figure out what the main script should be.  It
** loads the main script into a TCL variable named "main_script".  Or,
** if an interactive shell is desired, "main_script" is unset.
*/
static const char zWappTclshInit[] = 
BEGIN_STRING
INCLUDE $ROOT/wapptclsh.tcl
END_STRING
;

/*
** Return the text of the script to run.  Or, return NULL to run an
** interactive shell.
*/
const char *wapptclsh_init_proc(Tcl_Interp *interp){
  Tcl_GlobalEval(interp, zWapp);  /* Load the wapp.tcl extension */
  Tcl_GlobalEval(interp, zWappTclshInit); /* Load the main loop script */
  return Tcl_GetVar(interp, "main_script", TCL_GLOBAL_ONLY);
}

# This script runs to initialize wapptclsh.
#
proc initialize_wapptclsh {} {
  global argv argv0 main_script
  if {[llength $argv]==0} {
    set script --help
  } else {
    set script [lindex $argv 0]
  }
  if {[string index $script 0]=="-"} {
    set opt [string trim $script -]
    if {$opt=="v"} {
      puts stderr "Wapp using SQLite version [sqlite3 -version]"
    } else {
      puts stderr "Usage: $argv0 FILENAME"
      puts stderr "Options:"
      puts stderr "   -v      Show version information"
    }
    exit 1
  } elseif {[file readable $script]} {
    set fd [open $script r]
    set main_script [read $fd]
    close $fd
    set argv [lrange $argv 1 end]
    set argv0 $script
  } else {
    puts stderr "unknown option: \"$script\"\nthe --help option is available"
  }
}
initialize_wapptclsh