Post a Comment On: Only Python

Following my last post, some alert readers pointed out that Crunchy could be a security risk for its users. Crunchy acts as a web server, fetching html-based Python tutorials and displaying them in your browser with controls allowing to execute the Python code. This is meant as a good thing... but it might not be if the code is allowed to run automatically when the page is loaded. In fact, this might have occurred with previous (<0.7) Johannes and I changed the way that Crunchy works so as to remove any security worries - at least, we hope so. Anyone interested can obviously look at the code; for others, here's what we do:
Each time Crunchy starts, it generates a random session number (10 digit long).The javascript code used to communicate between Crunchy and the browser is fetched from a static file and modified to include the unique session number as part of each command; a new javascript file, with a filename that incorporates the session number is generated.
When Crunchy fetches an html page, it processes it to remove unwanted code. This means removing all (java-)scripts and only allowing html tags that are on a "whitelist". This whitelist excludes any of the usual "onload", "oninit", etc., automatic execution.
Next, Crunchy interactive elements (Python interpreter, code editor, button for Python code execution, etc.) are inserted with the javascript calls, each call given a unique identifier for that session.Finally, the processed page is displayed in the browser, with the server waiting for user-generated interactions.This procedure is repeated for any page that is loaded during that session.
At the end of a session, when Crunchy is terminated, the javascript file that was generated and used in that session is deleted.The latest version (0.7) includes this security features and many new additions [a complete list of the changes from version 0.6 is appended at the end of this message]. Currently, Johannes is working on adapting How to think like a computer scientist to use with Crunchy, as well adding new interactive features. For my part, I have been working on internationalisation issues (adding a French interface) and other configuration choices. Due to end-of-summer holidays, work on Crunchy will likely slow down for a few weeks at least but we should be able to reach version 1.0 early in the Fall.

After that, I will be ready to start implementing rur-ple inside the Crunchy environment; if there is enough interest, I might implement a turtle graphics module as well.

===== Changes from 0.6 to 0.7 ================
0. Name change
To prevent confusion with an existing program named CrunchyFrog, "Crunchy Frog" has been renamed as "Crunchy", short for "Crunchy, the Interactive Python Tutorial Maker".

1. *Security fix*
The previous versions of Crunchy allowed tutorials containing arbitrary (and hidden) javascript code to be loaded within a browser window. The new version removes any existing javascript code prior to processing for display within a browser.

Feel free to try and break this - and please report any findings back to us.

2. New functionality.
It is possible to run external programs from within the browser; sample demos include GUI programs with 1. Tkinter, 2. pyGtk, 3. wxPython, 4. Pygame Automatic syntax colouring of (static) Python code, including (as an option) line numbering.New plotting canvas with simple to use api to draw mathematical functions Drawing & plotting canvas can be set to arbitrary size.Multiple canvas can now appear on same page.New addition and simplification to the sound api.Simplification of error message (tracebacks) more suitable for beginners. New plotting canvas with simple to use api to draw mathematical functionsDrawing & plotting canvas can be set to arbitrary size.Multiple canvas can now appear on same page.New addition and simplification to the sound api.Simplification of error message (tracebacks) more suitable for beginners.3. New visual design:
Integrated menu which can be styled through custom cssThree sample css styles now included (selectable via the browser menu)
4. New content:
First draft sound tutorial exploring concepts of frequency, beats, harmonics (Fourier series), etc.New addition to the basic "Crunchy user" tutorialAdditions to all reference documentation (sound & graphics api, vlam options, etc.)