November 2018

There were 16 posts published in November 2018 (this is page 1 of 3).

Read XSS in hidden input fields

At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it’s behaving properly. Whilst doing this recently, Liam found a

I can absolutely see a case where users would interact, and and therefore become vulnerable to this exploit: Keyboard-only users, screen reader users, and speech recognition users. So this might be worth looking into, especially if you’re adding a ton of keyboard shortcuts to your app and calling it an accessibility improvement.
Read De-facto closed source: the case for understandable software

Code is the only thing you can trust when you want to know what the software is doing, when the company goes belly up, or when your system isn’t the same system that the original authors were developing on.
Code is the only thing you can trust, and by not reading it, you’ve forfeited the most important benefit provided by this ecosystem: the choice of not having to trust the authors regarding behavior or continuity.

This is a good read regarding the event-stream ongoing saga, and I agree with it, but I also have some things to add to it. For those of you who may not be familiar, (non-developers), event-stream was pulled from Node Package Manager, (something that gets used pretty frequently when building software in order to manage dependencies, otherwise known as other code bits you need in order to run/build your code bit), because it relied on another package which was found to have vulnerabilities. It was then handed over to someone else, who promptly added a cryptocurrency iner to it, at which point the internets freaked out. Frankly I don’t completely blame the new maintainer for adding the cryptocurrency miner. There are very large corporations who have no problem using open source software for their benefit, all while not supporting the maintainers. See for example: Apple and Microsoft. And if you can’t be relied on to hit that donate button, well then we’ll just use your processing power because eating habbits need to be supported. I’d like to add to the post I’m linking to though that, while I think code does need to be simpler and thus easier to understand, I also think maybe we need to simplify our build processes. But back to the “understanding” point, reading code is a learned skill, and I think to a certain extent it’s on the users, (and in this case the users are developers), to learn how to read code. As much as I’d like code to be simpler, outside of everyone who writes code taking courses/reading books on best practice and then applying all that, I don’t see this happening.
Read Playboy.com Sued by Man Alleging Website Not Accessible to the Blind

Playboy.com sued by man claiming website is not accessible to visually impaired.

I’m trying to decide if TMZ counts as accessibility hitting the mainstream or not. Also, someone should let them know that, (while Playboy Magazine has been available as part of the National Library Service for the Blind and Visually Handicapped for decades), in both braille and audio formats, blind people do not read Playboy for the articles. Some blind people are avid consumers of adult entertainment just as some sighted people are. Also, dear Playboy, if Pornhub can figure out how to make their entire site accessible while preserving its nature and content, you can too.
Watched
I came across this while reading an article about deleting Facebook even though deleting Facebook is a privilege. I appreciate the note of hope at the end, because I don’t believe simply disengaging from all these problems, (including the secondary ones like how we deal with politics and social issues as a society), is truly an option. Disengaging is not an option in my opinion because these issues are going to effect our lives and the lives of those around us whether we engage or not, and I think it’s better to have at least a slight idea of what’s coming and what’s happening than no idea at all.
Pocket has really nice integration with Firefox but asking me to solve a CAPTCHA every time I log in is very annoying. Time to move my bookmarks from there to my own site.
Read First Accessibility Agreement in U.S. to Use WCAG 2.1: Reached With Structured Negotiation

On November 2, 2018 Alameda County California, three blind residents, and the National Federation of the Blind announced a settlement designed to protect the rights of blind voters to participate fully in the county’s voting program.

It is the first agreement in the United States to include WCAG 

I’m glad to see that WCAG 2.1 is being adopted so quickly. It was released on June 5, 2018, WCAG 2.0 took a while to be adopted as the standard. 2.1 does a lot to address the needs of not only people with disabilities, but also people who are older, (sorry screen reader users, it’s not just about us and it never has been), and I’m pleased to see that we didn’t have to wait two years to see it adopted. I’m also glad the National Federation of the Blind resorted to structured negotiation and not a lawsuit, and would like to see more campaigning in the organization’s ranks for this approach.