Tuesday, August 07, 2007
Crunchy-like sites for javascript and ruby
While I have been aware of the Try Ruby site for quite a while, recently I came across this interactive javascript tutorial. While none of these are nearly as flexible as Crunchy, they are nice resources that are currently available for anyone to try without needing to install anything. It would be nice if I could have a dedicated server running Crunchy in a sandbox so that people could try it out without having to download it.
flat is better than nested?
In the process of making Crunchy more secure, I had extra attention to css files that contained import statements, since these can be used to insert javascript code. I was rather surprised when I looked at www.python.org. First, I noticed the line
I wonder why the link redirection is used...
<link rel="stylesheet" type="text/css" media="screen"which, in itself, appears rather ordinary. Upon following the link, I found that the content of the css file consists of the single line:
id="screen-switcher-stylesheet" href="/styles/screen-switcher-default.css" />
@import url(../styles/styles.css);In its default security mode, Crunchy just ignores any style information that contains "url(" in it. As a result, when viewed using the default security mode for Crunchy, the python.org site's formatting is lost.
I wonder why the link redirection is used...
Saturday, July 28, 2007
Crunchy Security Advisory
A security hole has been uncovered in Crunchy (version 0.9.1.1 and earlier).
Anyone using Crunchy to browse web tutorials should only visit sites that are trustworthy.
We are working hard at fixing the hole; a new release addressing the problems that have been found should be forthcoming shortly.
-----
The security problem is as follows:
In theory, a web page could contain some javascript code (or link to such code) that would bypass Crunchy's filter to be executed by the browser. If that is the case, the javascript code could be designed to send some Python code directly to the Python backend (i.e. without the Crunchy user pressing a button, or having the chance to view the code to be executed) so that it is executed. Such code could result in deleting the entire files or installing some virus on the user's machine.
At the moment, the risk is pretty low. Crunchy already removes all obvious (and most non-obvious) javascript code, links to such code, etc. The holes found require the use of some uncommon combination of html and css code, with a particular knowledge of Firefox.
(Note that browsers other than Firefox are likely to be even more vulnerable).
Furthermore, Crunchy is not that well known that it is likely to be a target by a cracker that would 1) write a "tutorial" interesting enough to lure current Crunchy users (who, at this point, are likely to include only advanced Python users) and 2) write some fairly involved javascript code to bypass the second security layer (where the commands enabling communication between the browser and crunchy are made up of random string generated uniquely at each new Crunchy session).
Tuesday, July 10, 2007
Rur-ple 1.0rc2 : bug fix for wxPython 2.8
Three changes; a grand total of 3 lines of code. That's all I needed to change to make rur-ple work with wxPython 2.8 (and probably 2.7). It only took me 8 months to get around to fix it due to a combination of lack of time and, when I had time, my obsession with Crunchy.
Speaking of Crunchy, I found a bug today: any Python output that has something like
Speaking of Crunchy, I found a bug today: any Python output that has something like
< ..... >
in it will be such that the stuff between angle brackets will not be shown. This is because the browser thinks it is a valid tag. The first time I noticed it was when I tried to do help(cmp). Then, I was going through "how to think like a computer scientist" (before I point my son to it) and noticed that the exercise with type(...) did not work. So, it is time to do a bug fix release - but no official announcement of this minor release. I'm curious to see if I'll hear from someone about this bug prior to the next "major" release.
Monday, July 09, 2007
New Crunchy (0.9) is out
By now, the official announcement should have made it to many lists. After a mad rush of coding and writing documentation over the past week or so, and implementing lots of new cool features, the new Crunchy is officially taking over from the old one.
I believe that this new version can do much to promote Python usage. If you do agree, please mention it!
Here's a copy of the announcement I sent to various lists:
Crunchy 0.9 has been released. It is available at http://code.google.com/p/crunchy
What is Crunchy?
Crunchy is a an application that transforms html Python tutorials into interactive session viewed within a browser. We are not aware of any other application (in any language) similar to Crunchy. Currently Crunchy has only been fully tested with Firefox; we know that some browsers simply don't work with it. Crunchy should work with all operating systems - it has been tested fairly extensively on Linux, Windows and Mac OS.
What is new in this release?
Crunchy has been rewritten from scratch from the previous version (0.8.2), to use a custom plugin architecture. This makes easier to extend and add new functionality. Rather than list the differences with the old release, it is easier to list the essential features of this new version.
1. Crunchy can work best with specially marked-up html tutorials. However, it can now work with any html tutorials - including the official Python tutorial on the python.org site. Html pages can be loaded locally or remotely from anywhere on the Internet. Crunchy uses a combination of Elementtree and BeautifulSoup to process html pages. Non W3C-compliant pages can be handled, but the visual appearance is not guaranteed to reproduce that normally seen using a browser.
2. Crunchy can insert a number of Python interpreters inside a web page. In the default mode, it does that whenever it encounters an html [pre] element which is assumed to contain some Python code. These interpreters can either share a common environment (e.g. modules imported in one of them are known in the other) or be isolated one from another.
3. Crunchy adds automatic css styling to the Python code - you can look at the official Python tutorial using your browser (all Python code in blue) and compare with what Crunchy displays to give you a good idea.
4. Instead of inserting an interpreter, Crunchy can insert a code editor that can be used to modify the Python code on the page and execute it. The editor can be toggled to become a fairly decent syntax aware editor that can save and load files.
5. Crunchy has a "doctest" feature where the code inside the [pre] is taken to be the result of an interpreter session and the user has to write the code so as to make the interpreter session valid; this is useful in a teaching environment. Messages from the Crunchy's doctest are "friendlier" for Python beginners than the usual tracebacks.
6. Crunchy has a small graphics library that can be imported, either inside an editor or an interpreter, to produce simple graphics (even animations!) inside the browser.
7. For the user that needs better quality graphics, Crunchy supports programs (such as matplotlib) that can create image files; by executing the code, the image produced is loaded inside the browser window. In this capacity, Crunchy could be used as a front end for libraries such as matplotlib.
8. Crunchy supports code execution of files as separate processes, making it suitable to launch gui based application from the browser window.
9. Crunchy's interpreter has an interactive "help" feature like many python-aware IDEs.
10. Crunchy includes a fairly comprehensive tutorial on its own use, as well as a reference for tutorial writers that want to make their tutorials "crunchy-friendlier".
11. As a security feature, crunchy strips all pre-existing javascript code from an html page before displaying it inside the browser window.
Bug reports, comments and suggestions are always welcome.
André Roberge, for the Crunchy team.
I believe that this new version can do much to promote Python usage. If you do agree, please mention it!
Here's a copy of the announcement I sent to various lists:
Crunchy 0.9 has been released. It is available at http://code.google.com/p/crunchy
What is Crunchy?
Crunchy is a an application that transforms html Python tutorials into interactive session viewed within a browser. We are not aware of any other application (in any language) similar to Crunchy. Currently Crunchy has only been fully tested with Firefox; we know that some browsers simply don't work with it. Crunchy should work with all operating systems - it has been tested fairly extensively on Linux, Windows and Mac OS.
What is new in this release?
Crunchy has been rewritten from scratch from the previous version (0.8.2), to use a custom plugin architecture. This makes easier to extend and add new functionality. Rather than list the differences with the old release, it is easier to list the essential features of this new version.
1. Crunchy can work best with specially marked-up html tutorials. However, it can now work with any html tutorials - including the official Python tutorial on the python.org site. Html pages can be loaded locally or remotely from anywhere on the Internet. Crunchy uses a combination of Elementtree and BeautifulSoup to process html pages. Non W3C-compliant pages can be handled, but the visual appearance is not guaranteed to reproduce that normally seen using a browser.
2. Crunchy can insert a number of Python interpreters inside a web page. In the default mode, it does that whenever it encounters an html [pre] element which is assumed to contain some Python code. These interpreters can either share a common environment (e.g. modules imported in one of them are known in the other) or be isolated one from another.
3. Crunchy adds automatic css styling to the Python code - you can look at the official Python tutorial using your browser (all Python code in blue) and compare with what Crunchy displays to give you a good idea.
4. Instead of inserting an interpreter, Crunchy can insert a code editor that can be used to modify the Python code on the page and execute it. The editor can be toggled to become a fairly decent syntax aware editor that can save and load files.
5. Crunchy has a "doctest" feature where the code inside the [pre] is taken to be the result of an interpreter session and the user has to write the code so as to make the interpreter session valid; this is useful in a teaching environment. Messages from the Crunchy's doctest are "friendlier" for Python beginners than the usual tracebacks.
6. Crunchy has a small graphics library that can be imported, either inside an editor or an interpreter, to produce simple graphics (even animations!) inside the browser.
7. For the user that needs better quality graphics, Crunchy supports programs (such as matplotlib) that can create image files; by executing the code, the image produced is loaded inside the browser window. In this capacity, Crunchy could be used as a front end for libraries such as matplotlib.
8. Crunchy supports code execution of files as separate processes, making it suitable to launch gui based application from the browser window.
9. Crunchy's interpreter has an interactive "help" feature like many python-aware IDEs.
10. Crunchy includes a fairly comprehensive tutorial on its own use, as well as a reference for tutorial writers that want to make their tutorials "crunchy-friendlier".
11. As a security feature, crunchy strips all pre-existing javascript code from an html page before displaying it inside the browser window.
Bug reports, comments and suggestions are always welcome.
André Roberge, for the Crunchy team.
Sunday, June 24, 2007
Fun with the new Crunchy
Since the new Crunchy can work with files that have no Crunchy-specific additional markup, some neat experiments are possible, in addition to playing with the official Python tutorial with a Python interpreter embedded on the web page that I mentioned in my last post. For the curious among you, here's something else to try.
Assuming you have the latest (version 0.2) alpha release of the new Crunchy, edit the file vlam.py, replacing "interpreter" by "editor" at lines 108 and 109. Then, launch Crunchy and click on the "tests" link. On the following page, click on the "Loading arbitrary tutorials" link. Then, in the box for loading remote tutorials, enter the address of the Python cookbook (http://aspn.activestate.com/ASPN/Python/Cookbook/).
The formatting will be off, but you can select your favorite recipe. When you do this, you can edit the code and execute it right on the page. Often, all you need to do is to replace
In the near future, Crunchy will provide an easy way to select which interactive element (Python interpreter or editor) is to be inserted by default, without having to edit the code by hand.
Assuming you have the latest (version 0.2) alpha release of the new Crunchy, edit the file vlam.py, replacing "interpreter" by "editor" at lines 108 and 109. Then, launch Crunchy and click on the "tests" link. On the following page, click on the "Loading arbitrary tutorials" link. Then, in the box for loading remote tutorials, enter the address of the Python cookbook (http://aspn.activestate.com/ASPN/Python/Cookbook/).
The formatting will be off, but you can select your favorite recipe. When you do this, you can edit the code and execute it right on the page. Often, all you need to do is to replace
__name__ == "__main__" by True and you are ready to try the examples, modifying them at will.In the near future, Crunchy will provide an easy way to select which interactive element (Python interpreter or editor) is to be inserted by default, without having to edit the code by hand.
From vlam to nam: Using Crunchy to interact with the official Python tutorial
Breaking news: you can now use Crunchy to browse and interact with the official Python tutorial. More below...
Since my last post that described briefly some features of the new Crunchy engine, I have not had much time to work on Crunchy. Johannes too has been fairly busy so that Crunchy development pretty much stopped, until the beginning of Google Summer of Code. Two students joined the Crunchy team: Edin Salković and Bryan Psimas. Unfortunately, due to other commitments, Edin was not able to continue with his SoC project - but he did manage to write the prototype of a new plugin for Crunchy that I will describe below.
The new Crunchy engine now works extremely well. As I wrote in my previous post, Crunchy is now more responsive; it supports simultaneous execution of multiple code sample, proper input (stdin) handling from the webpage browser and the api (for writing tutorials) has been significantly simplified as there is no longer be any need to have an embedded "canvas" call in a tutorial: the user is now able to load a graphics dynamically anywhere on a page. These graphics can even include simple animations using pure Python code (for the end user - javascript behind the scene for us, unfortunately).
There is more. For example:
Quite a few features from the "old Crunchy" need to be implemented (e.g. menus including a way to properly quit the application, translations, update:the ability to load an arbitrary tutorials given a URL, etc.) in the new version but, overall, it is working very well.
One of the "problems" with the old Crunchy is that it did require two things from a tutorial writer:
And ... Crunchy has now been written so that it automatically inserts a Python interpreter whenever it sees a bare <pre> (i.e. with nam = no additional markup). As a result, one can now browse the official Python tutorial with Crunchy and interact with it.
This automatic insertion of an interpreter sometimes yields too many interpreter inserted on a page than really needed; it is better to hand craft a tutorial. However, it should make Crunchy a lot more useful to many more people.
For those interested in trying out the "new Crunchy", an alpha release is available. If you have never used Crunchy before, you should try version 0.8.2 first and go through the tutorial from the menu.
Since my last post that described briefly some features of the new Crunchy engine, I have not had much time to work on Crunchy. Johannes too has been fairly busy so that Crunchy development pretty much stopped, until the beginning of Google Summer of Code. Two students joined the Crunchy team: Edin Salković and Bryan Psimas. Unfortunately, due to other commitments, Edin was not able to continue with his SoC project - but he did manage to write the prototype of a new plugin for Crunchy that I will describe below.
The new Crunchy engine now works extremely well. As I wrote in my previous post, Crunchy is now more responsive; it supports simultaneous execution of multiple code sample, proper input (stdin) handling from the webpage browser and the api (for writing tutorials) has been significantly simplified as there is no longer be any need to have an embedded "canvas" call in a tutorial: the user is now able to load a graphics dynamically anywhere on a page. These graphics can even include simple animations using pure Python code (for the end user - javascript behind the scene for us, unfortunately).
There is more. For example:
- it is now possible to style <code> elements;
- Python code sample (either inside <pre> or <code>) that contain pre-existing html markup can now be handled by Crunchy without generating an error (blank page!) as before;
- it is now possible to specify a starting number different from 1 when requesting that line numbers be added to a code sample;
- when it styles the code, Crunchy now automatically detects if a given code sample represents an interpreter session or a "normal" code sample;
- it is now possible to use input() and raw_input() with an interpreter, and the result appears inside the page displayed by the browser.
Quite a few features from the "old Crunchy" need to be implemented (e.g. menus including a way to properly quit the application, translations, update:
One of the "problems" with the old Crunchy is that it did require two things from a tutorial writer:
- That the html code written be W3C compliant (with no warning, no unclosed tags, etc.).
- That Crunchy specific markup (vlam = very little additional markup) be added to instruct Crunchy to add interactive elements.
And ... Crunchy has now been written so that it automatically inserts a Python interpreter whenever it sees a bare <pre> (i.e. with nam = no additional markup). As a result, one can now browse the official Python tutorial with Crunchy and interact with it.
This automatic insertion of an interpreter sometimes yields too many interpreter inserted on a page than really needed; it is better to hand craft a tutorial. However, it should make Crunchy a lot more useful to many more people.
For those interested in trying out the "new Crunchy", an alpha release is available. If you have never used Crunchy before, you should try version 0.8.2 first and go through the tutorial from the menu.
Subscribe to:
Posts (Atom)