On 3 Oct 2014 at 23:48, Matti Karnaattu wrote: ...
> >etc...and that's not the only way javascript can be used maliciously > > These are called security holes. > > >There is good reason not to explicitly trust javascript or any other > >browser plugin that allow the remote site to execute code on your > >machine. > > Unfortunately, we are living world where almost all applications are > nowadays writen with Javascript or compiled to Javascript. And it is > matter of time when rest of the issues are solved which prevents it > using ~everywhere to reduce server load. Many a naïve person believe you can "add" security as an afterthought but I'm not aware of this approach ever truly succeeding. > For that reason, it is not beneficial to avoid Javascript. Instead it > useful to think how it can be run securely. The only possible way to run it securely is to run it very very sparingly, and *only* when you believe that you are working with reasonable input. (You wouldn't go into a minefield armed only with a blindfold in order to "think how to do it safely", would you?) > Javascript is todays C. Fruits and vegetables. C is a fairly low-level *language* and the quality of the resulting application is entirely dependant on the programmer. Browser Javascript is as you yourself pointed out a *platform* i.e. it IS a complete application designed and built by people that do not think to close the barn until after the cows are gone (and probably consider any real lock to be too cumbersome).
