Re: proposing Section 508 compliance as requirement for 2.x

[Ed W <..hidden..>]

Hi

> and to make matters worse, many of the 
> input forms do a really, really ugly hack where each time a new item is 
> added, instead of preserving state somewhere it's sent back to the client - 
> html and all - in a hidden field. This alone makes it nearly impossible to 
> properly protect against XSS attacks.
>   

That said, I actually find the benefits of this to be superb.  The back 
button works in nearly every screen perfectly.  There is a tiny problem 
where if you resubmit a form then it tends to treat it as a new item, 
but that could be solved with some minor changes

Also it's very straightforward to open multiple windows and submit 
multiple invoices simultaneously.

As an aside, whilst I am not saying that it's impossible to do this all 
with only sessions, I am actually baffled as to how it could be done and 
need to do something similar in another project.  So if someone can 
describe how to have multi-window state kept using only sessions then 
please let me know... (I can't see how to do it without having a 
session_id in the URL in order to figure out which window is submitting 
each time??)

>  Definitely we do want to split the display and business logic, but this might 
> not be a feasible thing to do in any significant way until we move to 
> Template Toolkit or some other similar mechanism.
>   

Well TT is just an abstraction of the current logic anyway.  Seems that 
50% plus of the abstraction can be done with some judicious cut-n-paste 
on the existing view templates whilst leaving it roughly the same as it 
is now, ie put the controller code at the top and the CGI code at the 
bottom of the same sub even would be an improvement!

Changing this though should surely be a *massive* improvement in 
maintainability...!


Ed W