[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposing Section 508 compliance as requirement for 2.x



Hi

and to make matters worse, many of the input forms do a really, really ugly hack where each time a new item is added, instead of preserving state somewhere it's sent back to the client - html and all - in a hidden field. This alone makes it nearly impossible to properly protect against XSS attacks.

That said, I actually find the benefits of this to be superb. The back button works in nearly every screen perfectly. There is a tiny problem where if you resubmit a form then it tends to treat it as a new item, but that could be solved with some minor changes

Also it's very straightforward to open multiple windows and submit multiple invoices simultaneously.

As an aside, whilst I am not saying that it's impossible to do this all with only sessions, I am actually baffled as to how it could be done and need to do something similar in another project. So if someone can describe how to have multi-window state kept using only sessions then please let me know... (I can't see how to do it without having a session_id in the URL in order to figure out which window is submitting each time??)

Definitely we do want to split the display and business logic, but this might not be a feasible thing to do in any significant way until we move to Template Toolkit or some other similar mechanism.

Well TT is just an abstraction of the current logic anyway. Seems that 50% plus of the abstraction can be done with some judicious cut-n-paste on the existing view templates whilst leaving it roughly the same as it is now, ie put the controller code at the top and the CGI code at the bottom of the same sub even would be an improvement!

Changing this though should surely be a *massive* improvement in maintainability...!


Ed W