magazine resources subscribe about advertising




 CD Home < Web Techniques < 1997 < December  

Client-Side Programming with Tcl

By Chris Baron

Imagine a powerful, platform-independent language that lets you put a full GUI interface on Web page. This language has built-in security features, lots of free development tools and libraries, and is available free from Sun Microsystems. Java, you're thinking? Wrong. I'm talking about the Tool Control Language (Tcl, pronounced "tickle") in the form of a browser plug-in for Navigator 3.0 and Internet Explorer 3.0. Both the language and plug-in are produced by the Sun Microsystems SunScript group. But, you're thinking, what could Tcl possibly do for me that HTML, JavaScript, VBScript, Java, Visual Basic, SQL, C/C++, and Perl don't? Read on.

What is Tcl?

Tcl is an interpreted scripting language developed in 1987 by Dr. John Ousterhout, currently head of the SunScript group at Sun Labs. Ousterhout, along with twelve other full-time people, continues to develop Tcl at Sun. With a user base estimated at around half a million worldwide, Tcl is something of a cult classic among programming languages. It doesn't get much press, but Tcl users are true believers.

Like Perl, Tcl was originally developed as an alternative to C, to tie various applications together and perform scripting functions on UNIX systems. Tcl was also designed to be embedded into an application to provide a basis for a built-in command language. Unlike Perl, however, Tcl included almost from the start an interface to the X Window graphical-windowing system. This interface, called the "Toolkit" or "Tk," gives Tcl what Perl programmers can only dream of -- an easy way to put a graphical interface on a script that doesn't require ten times has much work as the script itself. Recent versions of Tcl and Tk run on nearly all UNIX platforms, 32-bit flavors of Windows, and MacOS. Version 8.0 of Tcl/Tk, which should be available by the time you read this, adds a native windowing system look and feel for all platforms and a runtime bytecode compiler, giving Tcl a needed performance boost. Tcl 8.0 code runs more slowly than equivalent Java code, but performance improvements are expected in subsequent versions.

Tcl/Tk is flexible and extensible, and it provides both an easy way to add GUIs to scripts and a free cross-platform GUI application-development platform. Furthermore, a plug-in for recent versions of the Netscape and Microsoft Web browsers lets you display your Tcl/Tk GUI on a Web page. (See " Figure 1".)

The Tcl Browser Plug-in

Since Tcl was intended to be embedded into other applications, it was relatively easy to create a browser plug-in. No other plug-in I'm aware of provides Tcl's combination of a general-purpose programming language and integrated cross-platform GUI toolkit. Tcl applications embedded in a Web page are called "Tclets" (pronounced "ticklets") because of their similarity to Java applets. The HTML <EMBED> tag is used to tell the browser to use the Tcl plug-in to execute Tcl program code fetched from the Web server.

Tcl Me

To try out the examples in this article, you will need to download and install the plug-in from the SunScript Web site. I found installation to be a no-brainer on both my Windows 95 and Linux systems. Example 1(a) gives the Tcl code for a very simple "Hello World" Tclet that opens a new GUI window, complete with mouse-event filtering and a command callback. The interface consists of a button widget with the label "Hello World!" When the button is clicked, the Tclet calls the command callback for the button and the Tclet exits. This erases the Tclet display area from the browser window.

To test this Tclet in an HTML page, enter the code in Example 1(a) and save it as hello.tcl. You must use the .tcl extension for the browser to call the proper plug-in. Example 1(b) gives some HTML code to display the Tclet. Enter it into your editor and save this file into the same directory as the Tclet. You can view the Tclet simply by loading the HTML page into your browser.

The WIDTH and HEIGHT arguments in the <EMBED> tag control the size of the area in the browser window used to display the Tclet. These two arguments are required for all Tclets because they are used by the browser to lay out the page. Other arguments pass parameters or data to the Tclet. You may use as many additional arguments as you like.

To show the power of Tcl/Tk for creating interactive interfaces, a second example creates a drawing canvas with two text strings on it. These strings and their colors are defined by <EMBED> tag arguments, along with the background color of the canvas widget. You can drag these text items around using the mouse. In Java, this would take many lines of code and create a pretty large applet. Listing One gives the Tcl code for the draggable text Tclet.

The arguments passed to the Tclet from the HTML file are accessed through the embed_args() array. Listing Two gives the HTML code to display this Tclet on the browser. The arguments in the <EMBED> tag in Listing Two are used to pass the text strings and colors to the Tclet. The functionality is pretty sophisticated for 33 lines of code. A screen shot of the browser running this example is shown in Figure 2. To change the text or its color, edit the HTML file and change the arguments in the <EMBED> tag.

The first two Tclets are fine for many self-contained applications. The SunScript Web site has several more demonstration Tclets of this type, along with links to other Tclet sites. However, a large set of applications require the Tclet to communicate outside of itself to read and write data to and from other systems. To support these needs, the browser plug-in includes all the features of Tcl for reading and writing files and communicating with other systems via sockets or HTTP. This allows Tclets to communicate with Web and other network servers. Currently, CGI-based applications are limited to a forms-based interface provided by the Web browser. Java is the most common alternative to HTML for creating a nice GUI for Web-based applications. The Tcl plug-in is another option for creating an attractive interactive GUI. The succinct nature of the Tk interface allows developers to create a very sophisticated interface with minimal code.

The Tcl Plug-in and CGI

Now I'll examine a more complex Tclet that interfaces with a Perl CGI script on a Web server to perform database administration. Many small databases are stored on the Web server as comma- or otherwise delimited text. Normally FTP is used to transfer the file for local editing or a CGI/HTML forms interface is used, but neither is very efficient or user friendly. Also, some firewalls block FTP and other services, rendering FTP or Telnet unusable from certain locations. Using the Tcl plug-in, however, you can use a Tclet with a nice interactive GUI to edit databases right on the Web browser.

The Tcl code in this example was written by Jacob Levy (jyl@Eng.Sun.COM), head of the Tcl plug-in development team at SunScript. Please send Jacob email if you find this Tclet useful or informative. Like any proud parent, Jacob likes feedback on both the plug-in's successes and shortcomings. (Also see " Online".)

While the Tclet is too long to include in its entirety, we'll look at a highlights of the code to give you a feel for how the Tclet works. At the top of the Tclet we see the code in Listing Three, which imports the "Outside" security policy file that defines the language commands available to this Tclet. (I'll cover Tcl security a little later in the article.)

The $embed_args array is automatically populated with the arguments from the <EMBED> tag. Here we extract the field delimiter for parsing the database file along with the database filename to pass to the CGI script. The URL for the "server" CGI script is set in Example 2(a).

When the HTML page is loaded, the browser processing parses the <EMBED> tag and requests the Tcl file from the Web server. When this file is received, it activates the plug-in and passes it the Tcl file along with the arguments from the <EMBED> argument list. Example 2(b) displays the Tclet within an HTML page.

At startup, the Tclet prompts the user for a password to access the database file. Listing Four generates the password screen using very little code.

After the user enters the password and either clicks the OK button or hits Return, the Tclet sends an HTTP POST request to the CGI script on the Web server to return the data from the database file. The filename and field delimiter for this database are given in <EMBED> statement arguments. Example 3 simulates a browser call to the CGI script.

The browser_getForm routine is part of the standard HTTP library distributed with Tcl. However, in the plug-in it is normally disabled for security reasons. The outside security policy we imported earlier re-enables this command for a set of explicitly defined URLs (more on this later). When the data is returned from the Web server, the callback routine (fetchCallback) is called with the results of the CGI script. Figure 3 shows a screen shot of the Tclet's two display modes.

The CGI script, written in Perl, is shown in Listing Five. It functions as our database "server." The CGI returns the data from the database in a very raw form as a series of plain text lines. Records are assumed to terminate with an end-of-line sequence. The first line of the file contains the field names, separated by the delimiter, followed by the data records. The raw data is turned into presentable text on the client side by the Tclet. The Tclet displays the data fields in a spreadsheet-like grid widget with each of the columns labeled with the field name. The grid widget automatically provides scrollbars and editing features such as using the Tab key to traverse the cells. To create a new record, place your cursor in the last field of the last row and hit Return. To delete a record, clear the entries in all fields. Clicking the Save or Save and Exit buttons sends the edited data file back to the CGI script, which replaces the database file on the server with the edited data. The Web application using the database can then be tested with the edited database. Additional edits can be made using the Save button, and the database can be updated by simply clicking the Save button again. To restart the Tclet after clicking the Save and Exit or Exit without Saving buttons use the Reload/Refresh button on the browser.

Although Tcl is a compact language, the complete source listing for our demo Tclet is a little too long to publish in the magazine. You can download the source for both the Tclet and the CGI script from my Web site ( or from; see "Availability" on page 3.

Tclet Security

Before you can run the Tclet, you must modify the default plug-in security policy. By default Tclets are not allowed access to any restricted functions like opening a network socket (as this Tclet does). To enable these functions, you must add my Web site to the list of sites allowed to use the "Outside" security policy. This policy is intended for Tclets residing outside your "trusted" network area. To modify the policy find the file outside.cfg at c:\tclplugin\2.0\tcl8.0\policies\outside.cfg (Windows) or /usr/local/netscape/plugins/tclplug/2.0/policies/outside.cfg (UNIX). Scan down through the file until you see lines that look like Example 4, and add an entry for the URL of the demonstration Web site.

Once you save the file you'll be able to load and run the Tclet from my Web site. Tclets that don't request access to services restricted by the plug-in will run from any site. The display-only Tclets on the SunScript and other sites don't use any restricted functions so they will run without modifying the security policy.

To address security concerns, a special flavor of Tcl/Tk called Safe-Tcl is used as the basis for the plug-in. Safe-Tcl allows only a restricted set of privileges and commands to untrusted scripts. Permission must be explicitly granted to a Tclet for it to use any of the restricted functions. The basic security policy built into Java allows an applet access to files and resources only on its "home" server. Tcl supports this policy along with others, such as the "Outside" policy used for our demonstration Tclet. Instead of imposing a one-size-fits-all security policy, Safe-Tcl, and by extension the Tcl plug-in, allow very fine-grained control of security policies to reflect your network and security requirements. Access to individual Tcl commands can be enabled or disabled for a single URL. This provides much needed flexibility to allow or deny functionality depending on whether the application is running on a closed intranet or on the Internet. Check the SunScript Web site for more details.


If you're willing to invest a little time, I think you'll find Tcl/Tk to be a valuable addition to your Web-development arsenal.

Unlike many products that claim cross-platform compatibility, Tcl/Tk scripts actually run on 32-bit Windows, Macintosh, and nearly all UNIX platforms. The integrated Tk graphics package makes it easy to add a sophisticated graphical interface to Tcl scripts without getting bogged down in the nitty gritty of GUI programming. Tcl security is controlled by a set of flexible security policies that allow administrators to enable or disable access to Tcl features as needed based on individual requirements and the network environment.


Johnson, Eric F. Graphical Applications with Tcl & Tk. New York, NY: M&T Books, 1996.
Ousterhout, John. Tcl and the Tk Toolkit. Cambridge, MA: Addison-Wesley, 1994.
Welch, Brent. Practical Programming in Tcl and Tk, second edition. Englewood Cliffs, NJ: Prentice Hall, 1997.

(Get the source code for this article here.)

Chris is an independent Web developer and consultant. He is co-author with Bob Weil of Drag 'n' Drop CGI: Enhance Your Web Site Without Programming (Addison-Wesley, 1997). He can be reached at

Copyright © 2003 CMP Media LLC