Bottle sound like it makes things very simple. I also have a chapter introducing server-side Python interaction in very simple cases. http://anh.cs.luc.edu/python/hands-on/3.1/handsonHtml/ch4.html It does come well after function introduction.
Dr. Andrew N. Harrington Computer Science Department Graduate Program Director g...@cs.luc.edu Loyola University Chicago 207 Doyle Center, 1052 W Loyola Ave. http://www.cs.luc.edu/~anh Phone: 773-508-3569 Dept. Fax: 773-508-3739 ahar...@luc.edu (as professor, not gpd role) On Sat, Mar 31, 2018 at 8:20 PM, Wes Turner <wes.tur...@gmail.com> wrote: > Web programming is fun but dangerous. > Things as simple as 'it reads a file off the disk and sends it to the > user' can unintentionally expose every readable file to whoever or whatever > can access localhost. > > ```python > os.path.join('here', '/etc/shadow') > path = 'here/' + '../../../../etc/shadow' > ``` > > All of the examples in this thread are susceptible to XSS (Cross Site > Scripting) and CSRF (Cross-site Request Forgery). Don't feel bad; many > college web programming courses teach dangerous methods, too. > > XSS: > ``` > x = """</body><script>alert('download_mining_script()')</script>""" > return f'<html><body>{x}' > """ > > Bottle has multiple templating engines which escape user-supplied input > (in order to maintain a separation between data and code). > > Like XSS, SQLi is also a 'code injection' issue. pypi:Records can use > SQLAlchemy. Django is a great framework with a built-in ORM that also > escapes SQL queries. > > CSRF: > - X posts an XSS to site A that POSTs to site B > - 100 users view site A > - [...] > > http://bottle-utils.readthedocs.io/en/latest/csrf.html > > https://bottlepy.org/docs/dev/tutorial.html#html-form-handling > > OWASP has a lot of information on WebSec: > > OWASP Top 10 > https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project > > The OWASP Vulnerable Web Applications Directory Project (VWAD) > https://github.com/OWASP/OWASP-VWAD > > Any program or user on the system can read and write to localhost. > > > On Saturday, March 31, 2018, Wes Turner <wes.tur...@gmail.com> wrote: > >> Bottle is a single file web microframework. >> >> https://github.com/bottlepy/bottle >> https://github.com/bottlepy/bottle/blob/master/bottle.py >> >> > Example: "Hello World" in a bottle >> >> ```python >> from bottle import route, run, template >> >> @route('/hello/<name>') >> def index(name): >> return template('<b>Hello {{name}}</b>!', >> name=name) >> >> run(host='localhost', port=8080) >> ``` >> >> There are docs and every function is Ctrl-F'able within bottle.py. >> >> On Friday, March 30, 2018, kirby urner <kirby.ur...@gmail.com> wrote: >> >>> >>> Very interesting. I note that free users are relegated to Python 2.7 >>> >>> Server modules can be Python 3.6 (outside the free version) >>> >>> Client stuff compiles to JavaScript and is approximately 2.7 >>> >>> That's a bit confusing maybe. I try to avoid 2.7 but that's not easy. >>> >>> In my Coding with Kids work, we use Codesters.com to teach Python, which >>> depends on Skulpt. Also 2.x ish. >>> >>> Kirby >>> >>> >>> >>> On Fri, Mar 30, 2018 at 11:49 AM, Jason Blum <jason.b...@gmail.com> >>> wrote: >>> >>>> http://anvil.works/ is a pretty interesting approach to Python web >>>> applications. >>>> >>>> On Fri, Mar 30, 2018 at 2:05 PM, kirby urner <kirby.ur...@gmail.com> >>>> wrote: >>>> >>>>> >>>>> Hi Aivar -- >>>>> >>>>> I think it's a fine idea to write simple Python scripts that write >>>>> HTML files, which you may then pull up in the browser. >>>>> >>>>> There's no need to put a server behind static web pages. So, for >>>>> example, I'll have my students write a page of bookmarks: >>>>> >>>>> # -*- coding: utf-8 -*- >>>>> """ >>>>> Created on Wed Nov 4 18:02:30 2015 >>>>> >>>>> @author: Kirby Urner >>>>> """ >>>>> >>>>> # tuple of tuples >>>>> bookmarks = ( >>>>> ("Anaconda.org", "http://anaconda.org"), >>>>> ("Python.org", "http://python.org"), >>>>> ("Python Docs", "https://docs.python.org/3/"), >>>>> ("Spaghetti Code", "http://c2.com/cgi/wiki?SpaghettiCode"), >>>>> ("Structured Programming", "http://c2.com/cgi/wiki?Struct >>>>> uredProgramming"), >>>>> ("Map of Languages", "http://archive.oreilly.com/pu >>>>> b/a/oreilly//news/languageposter_0504.html"), >>>>> ("XKCD", "http://xkcd.com"), >>>>> ) >>>>> >>>>> page = '''\ >>>>> <!DOCTYPE HTML> >>>>> {} >>>>> ''' >>>>> >>>>> html = """\ >>>>> <HTML> >>>>> <HEAD> >>>>> <TITLE>Bookmarks for Python</TITLE> >>>>> </HEAD> >>>>> <BODY> >>>>> <H3>Bookmarks</H3> >>>>> <BR /> >>>>> <UL> >>>>> {} >>>>> </UL> >>>>> </BODY> >>>>> </HTML> >>>>> """.lower() >>>>> >>>>> the_body = "" >>>>> for place, url in bookmarks: >>>>> the_body += "<li><a href='{}'>{}</a></li>\n".format(url, place) >>>>> >>>>> webpage = open("links.html", "w") >>>>> print(page.format(html.format(the_body)), file=webpage) >>>>> webpage.close() >>>>> >>>>> All you need add to your example is using print() to save to a file, >>>>> so the browser has something to open. >>>>> >>>>> I would not call this a "web app" yet it's instructive in showing how >>>>> Python can write HTML files. >>>>> >>>>> Kirby >>>>> >>>>> >>>>> >>>>> On Wed, Mar 28, 2018 at 12:18 AM, Aivar Annamaa <aivar.anna...@ut.ee> >>>>> wrote: >>>>> >>>>>> Hi! >>>>>> Let's say my students are able to write programs like this: >>>>>> >>>>>> name = input("name") >>>>>> >>>>>> if name == "Pete": >>>>>> greeting = "Hi" >>>>>> else: >>>>>> greeting = "Hello!" >>>>>> >>>>>> print(f""" >>>>>> <html> >>>>>> <body> >>>>>> {greeting} {name}! >>>>>> </body> >>>>>> </html> >>>>>> """) >>>>>> >>>>>> I'd like to allow them start writing web-apps without introducing >>>>>> functions first (most web-frameworks require functions). >>>>>> >>>>>> It occurred to me that it's not hard to create a wrapper, which >>>>>> presents this code as a web-app (input would be patched to look up >>>>>> GET or POST parameters with given name). >>>>>> >>>>>> This approach would allow simple debugging of the code on local >>>>>> machine and no extra libraries are required in this phase. >>>>>> >>>>>> Any opinions on this? Has this been tried before? >>>>>> >>>>>> best regards, >>>>>> Aivar >>>>>> >>>>>> _______________________________________________ >>>>>> Edu-sig mailing list >>>>>> Edu-sig@python.org >>>>>> https://mail.python.org/mailman/listinfo/edu-sig >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Edu-sig mailing list >>>>> Edu-sig@python.org >>>>> https://mail.python.org/mailman/listinfo/edu-sig >>>>> >>>>> >>>> >>>
_______________________________________________ Edu-sig mailing list Edu-sig@python.org https://mail.python.org/mailman/listinfo/edu-sig