Home | All Questions | alt.html FAQ > Client-side Basic Scripting

Why is Javascript so evil?

Because webmasters use it to make:

Only use Javascript to accomplish tasks that cannot be done using HTML.

Javascript was intended to enhance webpages, not replace the functionality of them and if used properly Javascript can significantly improve the usability of a website as well as increase the total user experience. It is a luxury, not a neccessity. A lot of designers think its their god-given right to annoy the hell out of visitors with bulky Javascript effects, so turning of Javascript is almost a requirement to visit some websites.

However, not all is as bad as it seems as most of the people will turn on Javascript when they are convinced that the Javascript required is appropriate. But using Javascript for critical functions such that your site breaks if Javascript is disabled is going to cause a webdeveloper problems.

There is a security reason for disabling Javascript, which we detail in the next section.

Javascript and Internet Explorer

Javascript on it's own is pretty harmless. The issue is JScript, which most people think is the same as JavaScript. When a web site executes "javascript" in Internet Explorer-based browsers you are not really executing JavaScript but JScript. Both have ECMAScript compatibility's but JScript has powerful additions that can be abused.

In a default security environment in a web browser you should always see warnings when abuseable scripts are about to be executed, this offers some simple protection. If a page or "zone" is given increased security privileges then some such content (if not all) may be executed freely. JScript may read/write/delete files, start any program on your machine e.g. format or a "Trojan" application. Outside of the context of a web-browser the Windows Scripting Host (WSH) allows scripts to be executed on your Windows machine that are just as damaging. Indeed the VBScripts that people associate with viruses like "I Love You" are executed via the WSH - JScript can be used to write equally damaging scripts.

An anti-virus application like Norton Anti-Virus should capture such scripts whether in or outside of a browser, a software firewall like ZoneAlarm will capture most Trojans and may offer script blocking as well. On the server JScript is used under the umbrella of ASP to build interactive web applications, where you mostly likely would desire to use these features. On the server these features may be abused if the server is breached or if the administrator has not configured the server correctly.

As for security concerns, turn off ActiveX. Javascript can do no harm without the use of ActiveX in IE.

Javascript and Netscape Navigator 4

Javascript's live connect to Java in NN4 has had security exploits demonstrated which are similar to JScript's ActiveX.

Recommended Resources

Discussion

Related Questions