Read XSS in hidden input fields by an author (Web Security Blog | PortSwigger)

At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it’s behaving properly. Whilst doing this recently, Liam found a

I can absolutely see a case where users would interact, and and therefore become vulnerable to this exploit: Keyboard-only users, screen reader users, and speech recognition users. So this might be worth looking into, especially if you’re adding a ton of keyboard shortcuts to your app and calling it an accessibility improvement.
Read De-facto closed source: the case for understandable software by an author (13brane.net)

Code is the only thing you can trust when you want to know what the software is doing, when the company goes belly up, or when your system isn’t the same system that the original authors were developing on.
Code is the only thing you can trust, and by not reading it, you’ve forfeited the most important benefit provided by this ecosystem: the choice of not having to trust the authors regarding behavior or continuity.

This is a good read regarding the event-stream ongoing saga, and I agree with it, but I also have some things to add to it. For those of you who may not be familiar, (non-developers), event-stream was pulled from Node Package Manager, (something that gets used pretty frequently when building software in order to manage dependencies, otherwise known as other code bits you need in order to run/build your code bit), because it relied on another package which was found to have vulnerabilities. It was then handed over to someone else, who promptly added a cryptocurrency iner to it, at which point the internets freaked out. Frankly I don’t completely blame the new maintainer for adding the cryptocurrency miner. There are very large corporations who have no problem using open source software for their benefit, all while not supporting the maintainers. See for example: Apple and Microsoft. And if you can’t be relied on to hit that donate button, well then we’ll just use your processing power because eating habbits need to be supported. I’d like to add to the post I’m linking to though that, while I think code does need to be simpler and thus easier to understand, I also think maybe we need to simplify our build processes. But back to the “understanding” point, reading code is a learned skill, and I think to a certain extent it’s on the users, (and in this case the users are developers), to learn how to read code. As much as I’d like code to be simpler, outside of everyone who writes code taking courses/reading books on best practice and then applying all that, I don’t see this happening.
Read Playboy.com Sued by Man Alleging Website Not Accessible to the Blind by an author (TMZ)

Playboy.com sued by man claiming website is not accessible to visually impaired.

I’m trying to decide if TMZ counts as accessibility hitting the mainstream or not. Also, someone should let them know that, (while Playboy Magazine has been available as part of the National Library Service for the Blind and Visually Handicapped for decades), in both braille and audio formats, blind people do not read Playboy for the articles. Some blind people are avid consumers of adult entertainment just as some sighted people are. Also, dear Playboy, if Pornhub can figure out how to make their entire site accessible while preserving its nature and content, you can too.
Watched
I came across this while reading an article about deleting Facebook even though deleting Facebook is a privilege. I appreciate the note of hope at the end, because I don’t believe simply disengaging from all these problems, (including the secondary ones like how we deal with politics and social issues as a society), is truly an option. Disengaging is not an option in my opinion because these issues are going to effect our lives and the lives of those around us whether we engage or not, and I think it’s better to have at least a slight idea of what’s coming and what’s happening than no idea at all.
Pocket has really nice integration with Firefox but asking me to solve a CAPTCHA every time I log in is very annoying. Time to move my bookmarks from there to my own site.
Read First Accessibility Agreement in U.S. to Use WCAG 2.1: Reached With Structured Negotiation by an author (Law Office of Lainey Feingold)

On November 2, 2018 Alameda County California, three blind residents, and the National Federation of the Blind announced a settlement designed to protect the rights of blind voters to participate fully in the county’s voting program.

It is the first agreement in the United States to include WCAG 

I’m glad to see that WCAG 2.1 is being adopted so quickly. It was released on June 5, 2018, WCAG 2.0 took a while to be adopted as the standard. 2.1 does a lot to address the needs of not only people with disabilities, but also people who are older, (sorry screen reader users, it’s not just about us and it never has been), and I’m pleased to see that we didn’t have to wait two years to see it adopted. I’m also glad the National Federation of the Blind resorted to structured negotiation and not a lawsuit, and would like to see more campaigning in the organization’s ranks for this approach.
I now have a checkbox on my add new post screen which lets me choose whether or not to send posts to Jetpack subscribers, which means I get to have the best of both worlds. Thanks for that filter, Jetpackers.
I’m really, really glad to see that Deque Systems is participating in/holding a hackathon at this year’s WordCamp US contributor day along with the Accessibility Team and those on the core team who are familiar with WordPress’s testing environment, in order to integrate aXe-Core into our core. Can we call this inception yet? I use Tenon, (a competing tool), and of course I’m a Tenon fan, but I also really like aXe-core. I just find it harder to use as a screen reader user trying to fight with Firefox’s developer tools, and Chrome’s developer tools are less accessible than Firefox’s. I’m still working out some last minute details to hopefully make it to WCUS this year so I can participate. I don’t know much about WordPress’s tests but would love to help in person any way I can. Plus, it’s WordCamp. This is an incredibly positive step forward for both WordPress as well as Gutenberg, and nothing makes me happier than to see it. This is the starting point on the road to making Gutenberg one of the most awesome things on the planet in my opinion: a block editor and eventually a complete site editor with drag-and-drop capabilities that everyone can use.
Quoted

Dear leadership: Get your shit together because this is one of a handfull of people who are actually experts who are also skilled React devs and your squandering WordPress’s hard-won rep on a11y for an arbitrary deadline is a damn shame.
Liked Push without notifications by Jeremy Keith (Adactio: Jeremy Keith)

What if users could be sure they wouldn’t be annoyed by websites after they grant permission to receive notifications?

I clicked on the link for Jeremy’s presentation, only to be directed to his book on this subject, which I will promptly be buying. I spent a little time looking through the A Book Apart catalog and didn’t realize that had so much cool stuff. And yes, as a user, I would really appreciate not being annoyed on a constant basis by websites I’ve given permission to notify me. I gave Slack permission to do that on the old computer and that was one of the first things I didn’t set up on the new one.
Replied to WYSIWYG Editor Blues by Greg McVerryGreg McVerry (Quick Thoughts)

When your CMS Just decides to change things. I know it’s deterministic. Has to be a reason, but not sure what it is
Trying to stick in my source

This was also posted to
/en/bloggingresearch.

The first thing I can tell you that may help you solve part of the problem you’re experiencing is that, unless you have WordPress’s wpautop function overridden, you do not need to add paragraph tags to your code. YOu simply need to separate paragraphs by pressing the enter key twice, as you would in a word processor. If you’re like me and you despise the fact that WordPress picks on the humble paragraph tag, you can disable it using either by filtering wpautop or by using a plugin like Toggle wpautop. To add your syndication sources, (at least for things that aren’t yet supported by the Syndication Links plugin), I would recommend adding some custom buttons to your editor. YOu can do that by using a plugin called Tiny MCE Advanced. YOu can also do it with code but if you’re just trying to get something done quickly and you don’t feel like writing yourself a custom functionality plugin for the buttons, this will do it without all the trouble.
Current status: About to piss a bunch of people off on the NFB Jobs mailing list by replying to a message which advocates for a weekly salary and annonymity for blind people participating in the drive-by demand letter racket.
Liked State of the Social Reader by an author

Last weekend during the Berlin IndieWeb Camp, Aaron Parecki gave a brief overview of where he/we is/are concerning the ‘social reader’. This is of interest to me because since ever I have been reading RSS, I’m doing by hand what he described doing more automatically.

I’ve only dipped my toes into the topic of social readers. I definitely believe they are the best way forward for RSS and the Indieweb in general, but I’m so used to the current way of handling RSS as a consumer that it’s taking me a whhile to make the jump between traditional RSS and social reading without the middle man of a social network.
Dear WordPress. I get it. Everybody’s tired of hearing about Gutenberg, and it sucks when you’ve worked so hard on something, only to have a ton of people harshly criticize it. I get it. For Matt and the Gutenberg team, Gutenberg is your baby, and right now it seems like all of us are calling your baby ugly, dismissing all the hard work you’ve put in. Personally, I would love nothing better than to say only positive things about Gutenberg, and to talk about how much better it is than Squarespace’s or Wix’s editor, just to name a few. I would love to not participate in what’s being dismissed as WordPress drama because I, like you, hate drama. Unfortunately I do not have that privilege. I do not have the privilege of simply ignoring Gutenberg’s accessibility problems, because when it becomes the default editor those accessibility problems will directly effect my livelihood. Unless the Classic Editor plugin is per-user and per-post/post type, and unless it seemlessly converts back and forth between Gutenberg blocks and current content, it’s not even close to a workable solution. And that’s not even addressing the fact that, essentially, people with disabilities are being forced to wait on the sidelines again because a break-neck development pace and reliance on volunteers and having a shiny new thing to show off at WordCamp US were more important than whether or not WordPress demonstrated true leadership and did something truly innovative by releasing the first and only block editor that everyone can use no matter their physical ability or technical expertise. OK, so you’ve added some keyboard shortcuts and you do some really awesome things to ensure that what you deliver is an accessibility improvement upon what’s come before in this space. That’s great, but it’s not a first. Wix already does this and has done so for about a year. I mean, I can’t use their editor anymore since they just couldn’t handle attributing WordPress for that awesome update they had for a minute, but hey, they added some keyboard shortcuts and any new site starts with an accessible base and they did it all by themselves so that’s an improvement. I suppose when you go from zero accessibility to partial accessibility you have no choice but to call that an improvement, but that’s not what WordPress is doing. WordPress is improving accessibility on the front end and people with disabilities are picking up the tab. Instead of doing something truly amazing and wonderful and being the first to create a block editor that has complete drag-and-drop capabilities plus the ability for anyone who doesn’t use a mouse or who uses some kind of assistive technology to have complete control over what they create, WordPress is merely copying its competitors when it comes to releasing something that’s inaccessible and then promising to fix it later. Geocities promised to make their page builder accessible. It never happened. Google, same thing. Squarespace, they’re still making us vote on it I think, but I suppose they should maybe get points for at least being honest about the fact they really don’t give a damn. Wix resisted for years and finally started to get around to it, but they made all kinds of promises too and it’s a year later and we’re still waiting for an editor we can use. The list goes on and on and on. Anybody who’s been on the web longer than two seconds knows this song because it’s been played so often. Forgive me if I don’t exactly take promises to fix Gutenberg’s accessibility problems as anything other than promises in the dark. So yeah WordPress, I know WordPress drama sucks. I’d love to return you to your regularly scheduled program. But the WordPress I adopted as my home and as my family is better than Wix or Squarespace or Google or Geocities and I believe that it is still capable of doing great things that will shake the foundations of the web, and passing that up for the sake of speed development and a new shiny is missing an opportunity that you can never take advantage of again.
Maybe we accessibility folk are a cranky, and at times uncivil bunch. But we wouldn’t be cranky or uncivil if we didn’t have to constantly rehash the basics.