JavaScript insecurities

[Shindo_Hikaru]

With the security woes does this end javascript or limit it to a holt.

More info at link

http://msn.com.com/FAQ%3A+JavaScript+insec...subj=ns_6100019

[Chozo4]

I will personally use javascript where and whenever I need it as I use it as the backbone for specific situations.

Any form of client-side scripting in websites be it javascript or other can end up exploiting the users machine just because it's already being run on the client as it's being retrieved. Just javascript is getting the spotlight on it compared to the other forms of clientside scripting which is why it's now raising a concern. Once javascript is hosed .. other clientside scripting will be used to do the same in the future.

it basically falls upon two things:

1) if a webpage can be dynamically changed - it can be manipulated using any form of scripting

2) as long as HTML at the very least can access content on the users pc - even using the file:// prefix, any html or scripting can use that to run programs remotely on the users pc. All done through dynamically adding and editing the pages content on load or after load of the page. Even through taking advantage of remote-loading through IE through a few distinct clsid's abused by gator.

Once at least those two things are dealt with scripts can't do much more. However, removing the ability to dynamically edit a page through scripting defeats much of a scripts purpose in 90% of cases where it is used.

Edited July 31, 2006 by Chozo4

[ripken204]

there are attacks for everything all the time. i'll continue to use javascript when needed, although i dont use it that much.

[CoffeeFiend]

Indeed. There are attacks on everything all the time. We're not giving up on C++ even though we never stop seeing buffer overflow exploits. Stuff will be attacked, and compromised.

Giving up on javascript? Not a chance. It's stronger than ever.

It's a truly useful tech. I don't like the language itself much (if at all), but it makes things possible. Things like:

-client-side form validation (no need to postback to told your passwords don't match, "765" isn't a valid age, you MUST enter your email address or such)

-it's used by tons of widgets (think FCKeditor/FTB/dropdown controls, sliders, etc - normal html form controls suck really)

-it's used for tons of useful things like expanding/collapsing menus and sections.

-it's used for various useful animations or such (hiding panels, etc)

-it's used for accessibility (techniques like JS image replacement)

-it's used for enhancing pages in many ways (altering stuff by walking the DOM, etc)

-anything you've seen that referred to dhtml

-and of course, all that newfangled overhyped "web two point oh" total AJAX overload stuff! That one point alone (seeing how things are evolving - new and hugely popular sites) means it's not going away - things like google maps. There's tons of new frameworks popping up everyday too (Atlas is nice). Javascript usage is almost exponential, it's used more and also increasing faster than ever.

Giving up on javascript would take the web back like 10 years. And it's already somewhat stuck in the past. W3C being too slow (slowly becoming irrelevant), technologies evolving but getting no support, etc.

Not to mention MS' sorry excuse for a sh***y browser (IE) holding adoption of standards back. Tabs may be nice, but what about basic CSS support and such? IE8 (shipping with Vista's successor in 2025?) might finally support basic things every other browser has supported for ages. Who knows. Heck, we might have to wait for IE 324 for it to support for proper XHTML MIME type (application/xhtml+xml) - in 4500 AD, give or take a couple hundred years...

Today's browser CSS support is just *starting* to be half decent (with one big exception). But where's XForms? SVG support? A *decent* set of widgets? (we could *REALLY* use a combobox control - stuff like VB3 had MANY years ago) Newer/better styling & scripting technologies? Better typography? Better parsers than the DOM? SMIL? XHTML+Voice? MathML? Decent multimedia stuff (don't even mention QT or flash video)?...

There's so much people out there still serving ugly non-validating almost-but-not-quite-html 4 tag soup - a HUGE mess of content, markup and styling (countless font tags) in every page, using tables for layout, breaks instead of styled paragraphs, often with no doctype (quirksmode), IE-only pages, etc. Then there's all the ugly hacks to solve some browser's rendering issues and all. Character encoding/unicode issues. There's days like that where I wish we threw it ALL away and started again from scratch. Seemingly, some people are kind of doing that already - using the html page itself for nothing more than a flash container, and doing everything in flash (I truly despise flash though). Javascript and even more javascript seems like the only hope to have somewhat modern/interesting features these days. We can already see what the web (from a technology standpoint) will be like in 5 years - nothing's changed, old browsers not supporting new techs and such (CSS2? SVG? nah, 50% of the web will still use IE6 or such, and it supports nothing new or useful)

The day we're dropping javascript, we might as well ditch web browsers and use telnet instead as far as i'm concerned. Why not drop markup and images too (images can cause buffer overflows in decoding libs - see WMF exploit), and only have plain 7 bit ASCII text left while we're at it? I bet it would be real secure (although not quite as much as not even having a network connection -- hey, now THAT'S an idea!)

If anything, they've got to figure out how to secure javascript better or such (rework of ecmascript engines in browsers), as nothing's going to replace it anytime soon. And without it, it'd be back to the web's stone age more or less.