The Kaya standard library includes many features for web developers, including easy state management between pages, a code development model ensuring high-quality cross-browser HTML, and single-function access to commonly-needed features such as refilling forms. Application security is rightly a major concern on the web, and Kaya’s web development model allows you to easily minimise the risks of cross-site scripting and remote code execution.

The examples below all use the ‘webprog’ development model. Kaya also provides a ‘webapp’ development model suitable for rapid prototyping and testing of small web applications.

Easy state management

In web applications it is often necessary to store information temporarily (for example, when a user is carrying out a multi-stage process). The ‘simplestate’ webprog demonstrates this in a simplified way.

• simplestate source
• simplestate CGI demonstration

For an example of the @ syntax used in this example and elsewhere, see the partial functions tutorial.

Preparing to pass state

  void(addLocalControlInput(f1,"Next step",formStage3@(),state));

This part of simplestate.k creates a submit button within the form that when pressed, passes the state variable to the formStage3 function. AES-256 encryption is used to ensure that a user cannot create a modified input that will call an arbitrary function with arbitrary parameters – this is not equivalent to the obviously insecure PHP code.

<?php
$function = $_POST['function'];
$parameter = $_POST['parameter'];
$function($parameter);
?>

While it’s obviously possible in other languages to securely pass state and function call information from page to page, Kaya automates the process, leaving you free to concentrate on the higher-level application logic.

Handling the passed state

The runHandler function is used to actually run the function called by submit buttons, with the startAppfunction as a ‘default function’ if the application is called without a submit button (for example, on initialisation).

appendExisting(doc.body,runHandler(@startApp));

The output of the function is then inserted into the HTML page.

Removing the need for repeated data checking

To keep the example simple, the ‘simplestate’ example doesn’t do any checking that the entered data is sensible – for example, it will happily allow you to enter a blank name. On a multiple page form, by passing the state with Kaya’s secure encryption, you only have to do this check once, when you first place the data into the state variable. If you were to print out each previous variable as an <input type=’hidden’ …> on the page, you would have to check it at each stage.

Automatically re-filled forms

A common need in web applications is to validate a user’s form input, and if there are errors, redisplay the form so that the user can correct them. In doing so, it is essential for usability to enter the values the user has already submitted into the form. In Kaya, this requires just one function call.

• autofill source
• autofill CGI demonstration

The key line for refilling the form is

	autoFill(form,DataPost);

While the saving for a two-field form such as this is not significant, for a more complex form it can save a lot of effort.

High quality HTML code

The HTML code generation model used in Kaya ensures that your code will always be readable and well-formed, with closing tags automatically added in the right place, attributes properly quoted, and many of the HTML validation rules automatically enforced.

Avoiding cross-site scripting

Kaya distinguishes between HTML elements and their content, eliminating many possibilities for cross-site scripting (XSS) security vulnerabilities in web applications. You can safely place user input directly into your page:

p = addParagraph(doc.body,"Your name is "+incomingValue("name",DataGet)+".");

Should someone create a link of the form .../my.cgi?name=<script>alert(document.cookie)</script> then this will automatically be escaped on output to generate the HTML <p>Your name is <script>alert(document.cookie)</script></p>

Should you need to allow users to add some HTML code to a page, then the readFromString allows you to restrict the HTML to a whitelist of elements and attributes that you choose, or pick some commonly used preset values.

Separation of logic and output

It’s easy in Kaya to write the application code in a logical order, while having the HTML output in a different logical order. For example, imagine a system that checks documents for errors. It’s useful in this case to have a summary of errors at the top.

docs = getDocuments();
summary = addParagraph(html.body,"Checking "+size(docs)+" documents: ");
report = addList(html.body,Ordered,0);
errors = 0;
for doc in docs {
    error = checkDoc(doc);
    if (error) {
        errors++;
        pushListItem(report,doc.name+" has errors!");
    } else {
        pushListItem(report,doc.name+" is okay.");
    }
}
if (errors == 0) {
    addString(summary,"no errors");
} else if (errors == 1) {
    void(appendInlineElement(summary,Emphasis,"one error found!"));
} else {
    void(appendInlineElement(summary,Emphasis,errors+" errors found!"));
}

Kaya makes it easy to add the error summary at the appropriate place, without worrying about when to print closing tags, or having to explicitly delay printing of particular parts of the code.