Wapp really just a collection of TCL procs. All procs are in a single file named "wapp.tcl".

The procs that form the public interface for Wapp begin with "wapp-". The implementation uses various private procedures that have names beginning with "wappInt-". Applications should use the public interface only.

The most important Wapp interfaces are:

  • wapp-start
  • wapp-subst and wapp-trim
  • wapp-param

Understand the four interfaces above, and you will have a good understanding of Wapp. The other interfaces are merely details.

The following is a complete list of the public interface procs in Wapp:

  • wapp-start ARGLIST
    Start up the application. ARGLIST is typically the value of $::argv, though it might be some subset of $::argv if the containing application has already processed some command-line parameters for itself. This proc never returns, and so it should be very last command in the application script.

  • wapp-subst TEXT
    This command appends text to the end of reply to an HTTP request. The TEXT argument should be enclosed in {...} to prevent substitutions. The "wapp-subst" command itself will do all necessary backslash substitutions. Command and variable substitutions only occur within "%html(...)", "%url(...)", "%qp(...)", "%string(...)", and "%unsafe(...)". The substitutions are escaped (except in the case of "%unsafe(...)") so that the result is safe for inclusion within the body of an HTML document, a URL, a query parameter, or a javascript or JSON string literal, respectively.

  • wapp-trim TEXT
    Just like wapp-subst, this routine appends TEXT to the web page under construction, using the %html, %url, %qp, %string, and %unsafe substitutions. The difference is that this routine also removes surplus whitespace from the left margin, so that if the TEXT argument is intended in the source script, it will appear at the left margin in the generated output.

  • wapp-param NAME DEFAULT
    Return the value of the Wapp parameter NAME, or return DEFAULT if there is no such query parameter or environment variable. If DEFAULT is omitted, then it is an empty string.

  • wapp-set-param NAME VALUE
    Change the value of parameter NAME to VALUE. If NAME does not currently exist, it is created.

  • wapp-param-exists NAME
    Return true if and only if a parameter called NAME exists for the current request.

  • wapp-param-list NAME
    Return a TCL list containing the names of all parameters for the current request. Note that there are several parameters that Wapp uses internally. Those internal-use parameters all have names that begin with ".".

  • wapp-allow-xorigin-params
    Query parameters and POST parameters are usually only parsed and added to the set of parameters available to "wapp-param" for same-origin requests. This restriction helps prevent cross-site request forgery (CSRF) attacks. Query-only web pages for which it is safe to accept cross-site query parameters can invoke this routine to cause query parameters to be decoded.

  • wapp-mimetype MIMETYPE
    Set the MIME-type for the generated web page. The default is "text/html".

  • wapp-reply-code CODE
    Set the reply-code for the HTTP request. The default is "200 Ok".

  • wapp-redirect TARGET-URL
    Cause an HTTP redirect to TARGET-URL.

  • wapp-reset
    Reset the web page under construction back to an empty string.

  • wapp-set-cookie NAME VALUE
    Cause the cookie NAME to be set to VALUE.

  • wapp-clear-cookie NAME
    Erase the cookie NAME.

  • wapp-safety-check
    Examine all TCL procedures in the application and return a text string containing warnings about unsafe usage of Wapp commands. This command is run automatically if the "wapp-start" command is invoked with a --lint option.

  • wapp-cache-control CONTROL
    The CONTROL argument should be one of "no-cache", "max-age=N", or "private,max-age=N", where N is an integer number of seconds.

  • wapp-content-security-policy POLICY
    Set the Content Security Policy (hereafter "CSP") to POLICY. The default CSP is default_src 'self', which is very restrictive. The default CSP disallows (a) loading any resources from other origins, (b) the use of eval(), and (c) in-line javascript or CSS of any kind. Set POLICY to "off" to completely disable the CSP mechanism. Or specify some other policy suitable for the needs of the application.

  • wapp-debug-env
    This routine returns text that describes all of the Wapp parameters. Use it to get a parameter dump for troubleshooting purposes.

  • wapp TEXT
    Add TEXT to the web page output currently under construction. TEXT must not contain any TCL variable or command substitutions. This command is rarely used.

  • wapp-unsafe TEXT
    Add TEXT to the web page under construction even though TEXT does contain TCL variable and command substitutions. The application developer must ensure that the variable and command substitutions does not allow XSS attacks. Avoid using this command. The use of "wapp-subst" is preferred in most situations.