This is the mail archive of the kawa@sourceware.org mailing list for the Kawa project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: functional programming and web services

From: Per Bothner <per at bothner dot com>
To: Damien MATTEI <Damien dot Mattei at unice dot fr>
Cc: kawa at sourceware dot org
Date: Wed, 26 Oct 2016 23:18:21 -0700
Subject: Re: functional programming and web services
Authentication-results: sourceware.org; auth=none
References: <201610201155.33901.Damien.Mattei@unice.fr> <d2d82902-6875-36f4-9708-6a292d8dd8a3@bothner.com> <201610261423.51297.Damien.Mattei@unice.fr>



On 10/26/2016 05:23 AM, Damien MATTEI wrote:

* ResultatGeneralFKawa.scm builds HTML by concatenating strings.
That seems verbose - and dangerous (consider injection attacks).

gloups! this is my first database accessed by web (!) i didn't know that sort of attacks,
i searched about SQL injection attack over internet and yes, and made a test by "injecting" an OR-ed
 tautology at the good place via the form: result in accessing the whole list of stars observation,
it's so huge that the database is unavailable for many minutes before recovering.
Well that's not really a security issue because accessing data of observations is the goal of the web application,
there is no passwords or secret things in the database but i will fix that! thanks!

Have you considered using XML literals?

yes months ago, i read and test your documentation
https://www.gnu.org/software/kawa/XML-tools.html
and i should have ask help about because i know how to create HTML nodes in the kawa interpreter like this : (html:p "Don't use the " (html:code "<blink>") " tag.")
but cannot figure out what was the result type of the object and how to cast it in strings to return it to java and tomcat...
it would be nice if you can give me an example.


The Scheme API for working with XML is rather incomplete.
Since Kawa includes XPath and XQuery, the functionality is
there - it's just not easy to access.  (It might be reasonable
as a minimum to define a function where people can use XPath
expressions.)

However, there is enough to conveniently construct nodes, and convert
them to strings:

(define name "Tom")
(define hello-span #<span>Hello &[name]!</>)
(define action "<login>")
(define div1 #<p>&[hello-span]<span> Please &[action]</span></p>)
(display div1) (newline)

Note when div1 is printed, the angle-brackets from action are escaped.
The escaping does *not* happen when div1 is constructed - that just creates a
text node.  The escaping is when when the text node (child of div1)
is "serialized" to a string, by calling display.  You can also do:
  (div1:toString)
to directly yield an XML-formatted string.

Note the following are equivalent:

(html:span "Hello!")
#<html:span>Hello</>

Leaving out the html: in the latter is almost the same,
but in the default empty namespace:

#<span>Hello</>

A browser should display #<html:span>Hello</> and
#<span>Hello</> the same.
--
	--Per Bothner
per@bothner.com   http://per.bothner.com/

References:
- functional programming and web services
  - From: Damien MATTEI
- Re: functional programming and web services
  - From: Per Bothner

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]