Haskell framework for the web

Speaking in Tongues

Clever Compiler

When user input reaches the server, Yesod checks it for JavaScript injections by testing the data with JavaScript commands, such as <script></script>, and disarms the threat. For example, Yesod replaces < with &lt;. Following the same principle, Yesod protects the database against SQL injections [16].

The Haskell compiler checks the function type when compiling, which rules out type violations. It also checks the templates created in a template language from the Shakespearean family for syntax errors, ruling out any surprises during operation.

Cookies

Yesod is a RESTful application, but sometimes the framework has to save session data when interacting with clients (e.g., when using a shopping cart). The clientsession package uses encryption and signatures to provide data in cookies. On the one hand, this ensures that the user does not manipulate the data; on the other hand, the signature prevents man-in-the-middle attacks.

The developer determines how long a cookie is valid. To use cookies, use the Foundation.hs file to define where Yesod stores the cookie on the server. Listing 12 shows a session cookie. Firefox accepts such cookies, even in private mode (Figure 6), so you do not need to do without them. Cookies also hide sensitive data related to the URL.

Listing 12

<My project>/Foundation.hs (Extract)

01 [...]
02 instance Yesod App where
03     makeSessionBackend _ = Just <$> defaultClientSessionBackend
04         -- timeout in minutes
05         120
06         "<Path/to/Cookie>.aes"
Figure 6: Firefox displays the encrypted content of a cookie. The cookies generated by Yesod are usually valid for a period of two hours.

Recycling Code

Modularity means, among other things, reusability of code in other projects, which can be implemented under Yesod using subsites. These subsites are standalone programs (e.g., a chat application that occurs in several software projects). You only need to copy the folder that contains the subsite to the new project.

When implementing subsites, it should be noted that, although Snoyman has some examples in his book [14], not much useful information is available on the web; therefore, you need to teach yourself or gather information from different sources.

Another example of modularity with Yesod is Haskell programs or Haskell modules. For example, a game written in Haskell can be imported into a Yesod project, which the user accesses from the browser.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Lua for Apache

    Lua is a small, lean, and fast scripting language – ideal for working with web servers. Version 2.4 of the Apache web server is the first to offer a matching module that has a few quirks – and pitfalls, if you dig more deeply.

  • How to Hide a Malicious File

    The best way to stop an attack is to think like an attacker. We’ll show you how to use the Metasploit framework to create a malicious payload that escapes antivirus detection.

  • A DIY HTML Engine
    Jekyll is a lightweight, fast, HTML engine that renders websites with ease, with the added benefits of low cost, high speed, security, and free hosting with GitHub Pages.
  • Slipping your pen test past antivirus protection with Veil-Evasion
    The Veil pen-testing platform provides some powerful tools that will hide your attack from antivirus scanners – and Veil even supports Metasploit payloads.
  • Introduction to HDF5

    HDF5 is a data model, library, and file format used primarily for scientific computing to store and manage data.

comments powered by Disqus