Quixote.ca

White Paper: Quixote for Web Development

HomeOverview
Last Modified: 13 Dec 2008

Introduction

Quixote is a framework for developing Web applications in Python. Quixote is based on a simple, flexible design, making it possible to write applications quickly and to benefit from the wide range of available third-party Python modules. Deployed appropriately, Quixote has excellent performance that allows you to put Quixote-based applications into large-scale production use.

Architecture

A Quixote application is typically a Python package, a collection of modules grouped into a single directory tree. Quixote then maps a URL to a method of a Python object; the method is then called with the contents of the HTTP request, and the results are returned to the client.

Quixote can be connected to the Web in several ways:

HTML Templating

Quixote provides its own solution for HTML generation called Python Template Language (PTL). (Using PTL in Quixote applications is optional.)

PTL applies Python's syntax to generating HTML. In a PTL template, expression results and literal strings are automatically assembled into a function's output. Here is an example PTL function:

def format_row [html] (head, value):
    "<tr valign=top align=left>\n"
    "  <th align=left>%s</th>\n" % head
    "  <td>%s</td>\n" % value
    "</tr>\n"

The function is marked as being written in PTL by the [html] annotation in the function's definition. This function can be written and saved in a file whose name ends in ".ptl". Such ".ptl" files can then be imported using Python's import statement, and the template can be invoked just like a regular Python function. For example, you might code:

import util_templates

def output [html] (request):
    ...
    "<table>"
    for heading, value in data:
        util_templates.format_row(heading, value)
    "</table>"

PTL's HTML templating can automatically escape special characters such as '<' and '&' in strings originating from the client browser or from a database. Proper use of this feature can avoid a class of security vulnerability called "cross-site scripting attacks". In a cross-site scripting attack, a hostile user can insert arbitrary HTML in a web application's output that can link to other sites or contain harmful JavaScript code.

Alternative templating syntaxes can also be used. Several different syntaxes have been implemented as Python packages; because Quixote makes it easy to use third-party Python packages, you can support any templating syntax you wish.

Quixote's Advantages

Simplicity

Quixote is not a large framework that tries to subsume every conceivable Web development task, instead striving for flexibility. Quixote handles the details of interfacing with the web server such as parsing form request variables and processing uploaded files, and provides mechanism through which new features such as session tracking can be implemented.

This makes Quixote easy to learn for experienced Python programmers because their existing skills, acquired by writing Python programs and scripts, can also be applied to writing Web applications with Quixote. Novice programmers can also learn Quixote and once learned, their new-found skills can be applied to other Python programming tasks.

(A series of Quixote tutorials can be found at http://www.quixote.ca/learn/.)

By staying within the main stream of Python design practice, Quixote makes it easy to use third-party modules in Quixote-based applications. External packages such as the Reportlab Toolkit (PDF file generation), ZODB (an object database), or mxODBC (access to relational databases) can be used from Quixote without difficulty.

Existing Python tools such as the Distribution Utilities can be used to package and install Quixote-based applications. We hope that Quixote users will begin to release their own add-ons and applications built on top of Quixote, leading to the formation of a user community.

Performance

Quixote imposes very low overhead on each HTTP transaction, meaning that performance can be quite good even on inexpensive hardware. For example, one benchmark found that Quixote and SCGI can achieve 75 requests/second on a lowly Pentium 200! On a more current machine with an Athlon XP 1700+ processor, this combination has been measured at 425 requests/second.

Security

Quixote is relatively small, consisting of almost 7,000 lines of Python code. Only 2,500 lines of this contains the core publishing code; that's relatively small, making it possible to carefully read through the code and audit it for security vulnerabilities.

The automatic HTML quoting feature in PTL, if used diligently, can avoid a class of security vulnerability called "cross-site scripting attacks". In a cross-site scripting attack, a hostile user can insert arbitrary HTML in a web application's output that can link to other sites or contain harmful JavaScript code. Quixote can provide automatic protection from bugs that expose a Web-based application to such attacks.

Quixote also requires the developer to explicitly specify which Python functions can be accessed from the web browser. This makes it unlikely that private functions will be accidentally made available.

Freedom

Quixote is free software, available under a license identical to that used by Python itself. There's no cost to acquire the Quixote code, and no fees are required to write or run Quixote applications. You can also modify the Quixote code and redistribute your modified version.

Quixote Availability

Quixote runs on several Unix variants (Linux, FreeBSD, Apple MacOS X) and on Microsoft Windows.

A partial list of the HTTP servers supported by Quixote includes Apache (optionally using SCGI, mod_fastcgi, or CGI), Microsoft IIS, AOLServer, Medusa, and Twisted Python.

Resources for Learning More

The main site for Quixote is http://www.quixote.ca.

Quixote is written in the Python programming language. More information on Python is available at http://www.python.org.

Legal

AOLserver is a trademark of America Online.

Apache is a trademark of The Apache Software Foundation, and is used with permission.

The Reportlab Toolkit is a trademark of ReportLab.

mxODBC is a trademark of eGenix.com.

Apple and Mac OS are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.

Microsoft Windows and Internet Information Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.



Send comments to webmaster at quixote.ca.