9.7. TCL

Tcl stands for ``tool command language'' and is pronounced ``tickle.'' TCL is divided into two parts: a language and a library. The language is a simple text language, intended for issuing commands to interactive programs and including basic programming capabilities. The library can be embedded in application programs.

You can find more information about TCL at sites such as the TCL WWW Info web page. Probably of most interest are Safe-TCL (which creates a sandbox in TCL) and Safe-TK (which implements a sandboxed portable GUI for Safe-TCL), as well as the WebWiseTclTk Toolkit permits TCL packages to be automatically located and loaded from anywhere on the World Wide Web. You can find more about the latter from http://www.cbl.ncsu.edu/software/WebWiseTclTk. It's not clear to me how much code review this has received. More useful information is available from the comp.lang.tcl FAQ launch page at http://www.tclfaq.wservice.com/tcl-faq. However, it's worth noting that TCL's desire to be a small, ``simple'' language results in a language that can be rather limiting; see Richard Stallman's ``Why You Should Not Use TCL''. For example, TCL's notion that there is essentially only one data type (string) can make many programs harder to write (as well as making them slow). Also, when I've written TCL programs I've found that it's easy to accidentally create TCL programs where malicious input strings can cause untoward and unexpected behavior. For example, an attackers may be able to cause your TCL program to do unexpected things by sending characters with special meaning to TCL such as embedded spaces, double-quote, curly braces, dollar signs, or brackets (or create input to cause these characters to be created during processing). Thus, I don't recommend TCL for writing programs which must mediate a security boundary. If you do choose to do so, be especially careful to ensure that user input cannot ``fool'' the program. On the other hand, I know of no strong reason (other than insufficient review) that TCL programs can't be used to implement mobile code. There are certainly TCL advocates who will advocate more use than I do, and TCL is one of the few languages with a ready-made sandbox implementation.