Tim Jeanes: Microsoft TechEd (Friday)

A session on creating secure websites today was a little disappointing in that we didn't learn much, but I took it as encouragement that we're already doing things the right way. (There was one small vulnerability that it brought up, but of course I can't tell you what that is until I've got back and fixed it in the one site it applies to. It's pretty well a one-line fix, so I don't feel too bad about that.)

Microsoft have a new product out for analysing the potential security risks in your websites, but as it mostly seems to be a matter of your ticking boxes to say what technology you're using and it then telling you what to watch out for, I think I'll stick to reading the relevant articles on MSDN.

The seminar "Accessibility in the AJAX age" was led by one of the contributors to the w3c standards for page accessibility. With browser technology moving forwards so quickly, and innovations such as AJAX driving the user experience forwards, it's encouraging to hear that accessibility devices such a screen readers are (just about) keeping pace with these changes. Though it's still extremely easy to confuse such devices (or human users with any of a range of disabilities) by writing poor html or css, so long as stick to the basic tenet of having your html say exactly what you mean, rather than using layout tricks to make the final result look like what you mean, then you're not going to go too far wrong. Making sure the only javascript event you rely on is the onclick event, and that you never expect anyone to click something that isn't a link or a button will give you reliable DHTML.

AJAX makes things a little trickier though. A blind user will know to click a link to expand a details panel, for example, but their screen reader will take a snapshot of the updated page with the "Please wait... loading" message you thoughtfully put in. As the completion of the asynchronous call to the server uses only javascript to update the page, this doesn't appear to the user. The way round this is to navigate a hidden IFrame to a blank page (with a GUID in the query string to prevent any caching issues). Screen readers will take this navigate event as its cue to reread the html and present the changes to the user.

These blogs, by the way, have been uploaded over the wireless network in free moments between sessions. It's pretty impressive that they've set up a network capable of supporting the needs of 6,000 people armed with laptops.

There's a short video of our exploits here.