Wapp

Check-in [38fa4334e3]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Documentation improvements.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 38fa4334e3ad601143474c501d800b1d2801f8f196fb053d056d4da9bc872ee3
User & Date: drh 2019-04-01 01:57:25
Context
2019-04-08
20:14
For the %string() substitution, encode newlines and carriage returns using backslash escapes. check-in: 6385090072 user: drh tags: trunk
2019-04-01
01:57
Documentation improvements. check-in: 38fa4334e3 user: drh tags: trunk
01:31
Fix error in the first example of the "intro.md" page. check-in: 83e002a08c user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to README.md.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Wapp - A Web-Application Framework for TCL
==========================================

Wapp is a framework for writing web applications in TCL,
with the following advantages:

  *   Small and simple API → easy to learn and use
  *   A complete application is contained in a single file of TCL
  *   Resistant to attacks and exploits
  *   Cross-platform → CGI, SCGI, or a built-in web server
  *   The Wapp framework itself is a single-file TCL script
  *   Easy to embedded in a larger application
      to provide a web-based monitoring capability
  *   The MVC design pattern is supported but not required
  *   2-clause BSD license

Documentation
-------------

  *  ["Hello World!" App (6 lines of code)](/doc/trunk/docs/helloworld.md)
  *  [Introduction To Writing Wapp Applications](/doc/trunk/docs/intro.md)







|



|
<
<







1
2
3
4
5
6
7
8
9
10
11
12


13
14
15
16
17
18
19
Wapp - A Web-Application Framework for TCL
==========================================

Wapp is a framework for writing web applications in TCL,
with the following advantages:

  *   Small and simple API &rarr; easy to learn and use
  *   A complete app is a single small file of TCL
  *   Resistant to attacks and exploits
  *   Cross-platform &rarr; CGI, SCGI, or a built-in web server
  *   The Wapp framework itself is a single-file TCL script
  *   Easy to embedded in a larger application, if desired


  *   2-clause BSD license

Documentation
-------------

  *  ["Hello World!" App (6 lines of code)](/doc/trunk/docs/helloworld.md)
  *  [Introduction To Writing Wapp Applications](/doc/trunk/docs/intro.md)

Changes to docs/debughints.md.

1
2
3
4
5
6
7
8

9
10
11
12
13
14
15
16
17
Hints For Debugging Wapp Applications
=====================================

Here are some suggestions for debugging Wapp applications:

  +  If it seems like the [wapp-param](#wapp-param) command is not 
     working correctly, that might be because the same-origin policy
     is preventing query parameters from being parsed.

     Try adding this command to the top of the page generator proc, at
     least temporarily to see if that clears the problem.

  +  If parts of your webpage do not appear to be working, that might
     be due to the restrictive default 
     [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
     that Wapp uses.  Try temporarily disabling the CSP using a command
     like <blockquote><b>wapp-content-security-policy off</b></blockquote>
     near the top of your page-generator proc.





|


>
|
|







1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Hints For Debugging Wapp Applications
=====================================

Here are some suggestions for debugging Wapp applications:

  +  If it seems like the [wapp-param](commands.md#wapp-param) command is not 
     working correctly, that might be because the same-origin policy
     is preventing query parameters from being parsed.
     Try adding the [wapp-allow-xorigin-parameters](commands.md#allow-xorigin)
     command to the top of the page generator proc, at
     least temporarily, to see if that clears the problem.

  +  If parts of your webpage do not appear to be working, that might
     be due to the restrictive default 
     [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
     that Wapp uses.  Try temporarily disabling the CSP using a command
     like <blockquote><b>wapp-content-security-policy off</b></blockquote>
     near the top of your page-generator proc.

Changes to docs/intro.md.

163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
      wapp-trim {
        <h1>Wapp Environment</h1>\n<pre>
        <pre>%html([wapp-debug-env])</pre>
      }
    }
    wapp-start $argv

Most Wapp applications contain an /env page for debugging and
trouble-shooting purpose.  Examples:
<https://sqlite.org/checklists/env> and
<https://sqlite.org/search?env=1>


2.1 Binary Resources
--------------------







|







163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
      wapp-trim {
        <h1>Wapp Environment</h1>\n<pre>
        <pre>%html([wapp-debug-env])</pre>
      }
    }
    wapp-start $argv

Many Wapp applications contain an /env page for debugging and
trouble-shooting purpose.  Examples:
<https://sqlite.org/checklists/env> and
<https://sqlite.org/search?env=1>


2.1 Binary Resources
--------------------

Changes to docs/security.md.

51
52
53
54
55
56
57

















58
59
60
61
62
63

  6.  If the application is launched on a command-line with the --lint
      option, then instead of running the application, Wapp scans the
      application code looking for constructs that are unsafe.  Unsafe
      constructs include things such as using 
      "[wapp-subst](commands.md#wapp-subst)" with an argument
      that is not contained within {...}.


















Part of what makes Wapp easy to use is that it helps free application
developers from the worry of accidently introducing security vulnerabilities
via programming errors.  Of course, no framework is fool-proof.  Developers
still must be aware of security.  Wapp does not prevent every error, but
it does help make writing a secure application easier and less stressful.







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>






51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

  6.  If the application is launched on a command-line with the --lint
      option, then instead of running the application, Wapp scans the
      application code looking for constructs that are unsafe.  Unsafe
      constructs include things such as using 
      "[wapp-subst](commands.md#wapp-subst)" with an argument
      that is not contained within {...}.

  7.  The new (non-standard) SAME\_ORIGIN variable is provided. This variable
      has a value of "1" or "0" depending on whether or not the current HTTP
      request comes from the same origin. Applications can use this information
      to enhance their own security precautions by refusing to provide sensitive
      information or perform sensitive actions if SAME\_ORIGIN is not "1".

  8.  The --scgi mode only accepts SCGI requests from localhost.  This prevents
      an attacker from sending an SCGI request directly to the script and bypassing
      the webserver in the event that the site firewall is misconfigured or omitted.

  9.  Though cookies, query parameters and POST parameters are accessed using
      the same mechanism as CGI variables, the CGI variable names use a disjoint
      namespace.  (CGI variables are all upper-case and all others are lower-case.)
      Hence, it is not possible for a remote attacher to create a fake CGI variable 
      or override the value of a CGI variable.


Part of what makes Wapp easy to use is that it helps free application
developers from the worry of accidently introducing security vulnerabilities
via programming errors.  Of course, no framework is fool-proof.  Developers
still must be aware of security.  Wapp does not prevent every error, but
it does help make writing a secure application easier and less stressful.