Monday, January 18, 2010

Security analysis, JavaScript, and XForms

Some recent events have brought to the fore troubles with sprawling web user agents. The trend toward defining more semantics in open-coded Javascript, or in calls to large JavaScript libraries, is troubling. Statically analyzing imperative JavaScript libraries and calls is surely a more difficult task than analyzing declarative markup that expresses the same semantics.

These problems aren't new, nor are they limited to HTML uses of JavaScript: PDF is vulnerable as well, and again.

Some claim that JavaScript is used for mundane tasks such as boolean constraint validation and data type assignment because the market demands it. It's time for the market to wake up to the terrible cost of security flaws inherent in the JavaScript model, and demand integration of data types, constraints, validation, repeating and switch structures, and rational data submission: XForms 1.1 provides a good start.

Tuesday, June 2, 2009

Screen Reader A11Y for dynamic web applications

While XForms is inherently accessible, some members of the A11Y community define accessibility as compatibility with Screen Reader software. More often than not, this means expressing dynamic pages without JavaScript.

Native XForms support in browsers would be great for A11Y, but until these communities converge, another option for preserving your investment in dynamic pages yet offering A11Y is to use a server-side XForms processor.

  1. Author your dynamic pages using XHTML+XForms.
  2. Use a server-side engine to transform this standards-based markup into HTML + JavaScript.
  3. For A11Y clients, transform to static HTML with a refresh option.

Until today, only Chiba XForms offered this route; but now, Orbeon Forms 3.7.1 adds "noscript mode," which does just that.

So, to preserve your web application development investment and get A11Y right now, avoid writing directly to JavaScript libraries, and instead develop your dynamic web applications and have them produce XHTML+XForms markup, and deliver that to the browser using Ubiquity XForms, or Chiba, or Orbeon, or XSLTForms, or any other W3C Standard XForms compatible processor.

Standards compliance and interoperability test suites assure that you'll have minimal re-work when delivering the same application through different routes. And now, with no-script accessibility from two different vendors!

Thursday, April 30, 2009

TV Raman on XForms and Screen-Scraping

TV Raman, who ought to know a thing or two about screen scraping, comments on Sam Ruby's HTML Reunification and shows that the shibumiscript approach makes things easier for scripts, not harder.

Needless to say, we agree.

Labels: ,

Friday, August 8, 2008

History Repeats (Itself), or Apple Bites (Itself)

Geesh, even Danger with its self-focused secrecy paranoia never went this far:
This latest unconfirmed application wrinkle comes as developers continue to wrangle with Apple regarding its contentious non-disclosure agreement (NDA), which prevents developers from talking to one another regarding programming tips, hints and guidance -- which would, you’d assume, lead to happier users via the creation of better iPhone applications in the long run.

Tuesday, July 8, 2008


Mark Birbeck writes about Progressive Browser Enhancement, very much the shibumiscript way.

Thursday, May 22, 2008

AJAX is simple. XForms is simpler.

I came across a short, fun, hype-free summary of AJAX by Daniel Lorch. I thought it would be fun to take a similar look at some of the parts of XForms that declaratively wrap up the same concepts: the Instance DOM (data DOM), Submission (XHR), and Output (presentation without DOM mutation). Read my article AJAX is Simple; XForms is Simpler. There's another article to be written about validation using XForms client-side, declarative constructs, but it's off tangent from Daniel's article. Point 5 of Daniel's article says, "Doing AJAX by hand is certainly possible and helps understanding it, but using a good library makes the whole experience more comfortable." The shibumiscript approach is to consider XForms a way of expressing intent, and letting AJAX do the work for you. A challenge: Can XForms do better? Yes, by better integration with XHTML (single namespace), and by authoring conveniences that reduce typing and add defaults. Look for more of these in upcoming "XForms Simplification" from XForms 1.2 from the W3C.

Wednesday, May 14, 2008

Ubiquity XForms

Mark Birbeck of formsPlayer and John Boyer of IBM have put together a small team that should be the start of something big: nothing short of Ubiquity for XForms. Ubiquity is an all-AJAX library using YUI (and with an eye on scriptaculous and others coming up) that provides XForms functionality right in today's browsers, and mixes well with AJAX code. With the backing of IBM and Mark's new company webBackplane and the involvement of expert Paul Butcher, this project is sure to be a rallying point for the kinds of ideas shibumiscript is about. I'm looking forward to seeing what kinds of contributions Ubiquity gets from the community.