Introduction to JavaScript

We shall start by describing JavaScript as a client-side scripting language, which requires no pre-compilation and, as such, can be embedded within the HTML of a given website and then decoded by your browser. Within the mysearch.org.uk website, JavaScripts have been used extensively to provide a range of dynamic navigation options plus some specific 'apps'.

As there has already be a general discussion of the web navigation scripts see Web Navigation , this discussion will only review the source code of two 'calculators' that allow the user to input different values, which are then used to update the web page with the required answers. While it is possibly overselling these scripts to call them apps, they are fulfilling a similar requirements. In this respect, users have come to accept embedded JavaScripts because they are useful and historically they appear to represented a much smaller security risk than pre-compiled executable programs, although this is normally what an app represents. Therefore, it might be sensible to address some general aspects of JavaScript before jumping into the source code examples to follow and we might start by raising an obvious question:

What is JavaScript?

As indicated, JavaScript is a high-level, run-time interpreted programming language that has been widely used since its release in 1995. Today, JavaScript is said to be the world s 11th most popular programming language in a very large list of languages. Typically, JavaScript is used to add either dynamic control or content to a web page, e.g. form submission and validation, general user interaction, animations etc. To do this, JavaScript is often embedded directly within a HTML page, although it is suggested that readability and logic-flow are possibly best served by splitting out any JavaScript into separate files, which then contain the specific functions required and called at an appropriate points within the HTML code. For example, the following JavaScript file might be included within the HEADER section of the HTML file being processed by the client-side browser:

            <script src="../scripts/functions.js" type="text/JavaScript"></script>

While the following JavaScript function calls can be made within the BODY of the HTML file:

             <script type="text/JavaScript">
                                 function1();
                                 function2();
             </script>

Of course, while the user may be unaware of the presence of such code embedded in the HTML file being downloaded from some arbitrary website on the Internet, your browser can normally be configured to enable or disable the use of JavaScript. This then leads us to the next question:

What about JavaScript security?

Since its release, there have been a number of JavaScript security issues that have gained some attention. For example, the way JavaScript interacts with the web page's Document Object Model (DOM) can pose a risk, if it allows malicious agents to deliver scripts over the web and run them on the client-user computer. Normally, there are two measures that can be taken to contain this type of security risk. The first is known as sandboxing that restricts the JavaScript to only access certain resources and perform specific tasks. The second measure prevents JavaScripts from one site accessing data used by JavaScripts from other sites. However, in practice, many JavaScript security vulnerabilities are the result of the browser rather than the user failing to take the necessary measures to contain DOM-based JavaScript security risks. So it left to the user to decide on the next question:

Should I disable JavaScripting within my browser?

In practice, few people disable JavaScripts because it will often make many of the most interesting web pages effectively unusable. So while you could disable JavaScript, it would probably cause you a lot of annoyance for very little benefit. Therefore, it is probably more sensible to become aware of the security issues, in general, and use your own experience and your 'site advisor' to restrict access to the more obviously 'dangerous' types of websites on the Internet, which often hide a malicious intent. Of course, the other thing you can do to protect yourself is to understand a little about what the JavaScript code is capable of doing, which leads us nicely into the next discussion.