To address Tom's concer on verifying input. One thing that seems to have been accepted as common practice is to construct URLs like so:
foo-delete?foo_id=$foo_id
instead of
foo-delete?[export_vars -sign foo_id]
Adding -sign to calls to export_vars, and adding :verify to ad_page_contract variables will allow for verification of input on pages that accept URL variables that are not forms. To make ad_page_contract work with signed variables add :verify to the query variable definition. I think a global -verify {} section added to ad_page_contract to verify all variables would be a good addition to provide a shortcut for this. Another option would be to create an acs kernel paramter to set all ad_page_contract variables to be verified by default (off by default for backwards compatibility.)
Ad_form already includes a form signature. I will have to look into the template::form calls to see if they also need to be called with a -sign parameter.
The biggest job to clean this up is fixing all the places in the toolkit where the url variables are explictly defined as in my first example.