in reply to web site design, or lack thereof

One more clue, or lack thereof story. I stumbled upon this from some consulting/integration work I'm doing for a client.

My client outsources a major application from a company. The company provides an XML based API to do various management functions. You pass commands in a simple XML format via POST'ed forms.

Here's where the strangeness starts- You have to pass the admin username/password to access the management features, obviously.

Well, one of the ways they advocate interfacing with their API is to send an HTML page back to the client (the person at the web browser, in this case) with the form and data you want to POST (yes, with the admin username/password in it). The page has a javascript "onLoad()" handler that submits the form back into the API. This made my hair stand on end- this page with the admin info will be stored in the cache, and what if a user has javascript turned off (like if they were trying to hack the outsourced application?) I hope no one actually implements this- but I feel for people using languages without LWP, this would probably be the only easy way to do it.

I'm doing all the API work server-side with LWP::UserAgent because there's NO WAY IN HELL that I would send the admin username/password to the client. What the hell are they thinking? This app stores personal info about people (potentially CC numbers too). I pointed this out to them, and they said "We'll look into this. . ." I plan on following up with them soon, because I just can't let this one slip.

The outsourced app is actually pretty amazing, feature/function-wise, it just seems like there is a disconnect somewhere along the way. .

-Any sufficiently advanced technology is
indistinguishable from doubletalk.