Talk:JavaScript
From MDC
Contents |
[edit] We have <script>, <noscript> and where is <noparse> ?
Okay, so I'm making this site, and I though that it would be good to let people use some HTML tags, perhaps CSS and other stuff that browsers have to offer us, without need for crappy BB code. But then I would have to worry a lot about XSS. And suddenly, this came to me - <noparse> !
Any JavaScript, ActionScript, WhateverScript inside <noparse> tag wouldn't be parsed by browser. Doesn't matter if its used bold way like <script>alert('XSS')</script> or some sophisticated yet unknown technique - it would be ignored.
For example <noparse>"Some non-suspicious content goes <body onload=alert('Your mine!')> here <img src="some.png" alt=some" />"</noparse> would produce "Some non-suspicious content goes here (some.png image)" without alerting 'Your mine!'.
Of course there is still need to make sure, that this tag wouldn't be closed by attacker in a place we didn't planned for, but hey - thats much less to worry about.
--paziek 18:09, 16 May 2008 (PDT)
[edit] A quick intro to JS
This has a chance to become a nice quick intro to JS (a bit raw ATM): http://javascript.infogami.com/Javascript_in_Ten_Minutes
This is the kind of information we need at the Getting started page. --Nickolay
[edit] Is JavaScript really object-oriented?
I don't think javascript qualifies for object-oriented label. I do agree the primitive concept of object is somehow present in most (if not all) javascript code, but also the lack of classes and inheritance (for the sake of the basics in OOP) drives me to conclude that javascript should not be called a OO programming language. Manu 20:15, 6 November 2005 (PST)
- Depends on your definition of OOP. Strictly speaking, it is heavily object-oriented in that everything is treated as an object (with the exception of raw values such as strings and numbers). Sure it does not have a class-based OOP, but it does have prototype-based OOP, and that's OOP nonetheless. JS can hack up classes with private member support, although protected member support is far harder to implement. JS has prototype-based inheritance. --Maian 23:09, 6 November 2005 (PST)
- Well, my definition of OOP includes simplicity of expression. I do agree JS is OO, but I don't agree it is an OO language. Although, objects in JS are simple and powerfull (dynamic interfaces, for instance), expressing simple and common constructs in JS is more alike hacking than "elegant" (for a matter of speaking) coding. OOP in JS shows how hard is to achieve minimal encapsulation. In summary, I think there's more needed to be an OO language than the mere use of objects. Regards, Manu. Manu 08:12, 9 November 2005 (PST)
- See Correct OOP for Javascript before you formulate a final opinion.
[edit] web counters
This is probably not the right place to discuss web counters, but I haven't been at the dev-moz wiki long enough to figure out the right place -- where is a better place? --DavidCary 14:38, 9 Jul 2005 (PDT)
It seems that many web counters use embedded JavaScript.
One free web counter service asks me to use this lump of code:
<script language="javascript">
var data, p;
var agt=navigator.userAgent.toLowerCase();
p='http';
if((location.href.substr(0,6)=='https:')||(location.href.substr(0,6)=='HTTPS:')) {p='https';} data = '&r=' + escape(document.referrer) + '&n=' + escape(navigator.userAgent) + '&p=' + escape(navigator.userAgent)
if(navigator.userAgent.substring(0,1)>'3') {data = data + '&sd=' + screen.colorDepth + '&sw=' + escape(screen.width+ 'x'+screen.height)};
document.write('<a href="http://www.counterspot.com" target="_blank" >');
document.write('<img border=0 alt="free counters" hspace=0 '+'vspace=0 src="http://www.counterspot.com/counter.php?i=404' + data + '"></a>');
</script><noscript><a href="http://www.counterspot.com" target="_blank" >free counters</a></noscript>
I see it only half-way implements the standard "Javascript hiding" technique, used to present substitute text to JavaScript-disabled browsers:
<script language="javascript"> <!--
... JavaScript goes here, invisible to JavaScript-disabled browsers ...
// --> </script> <noscript>
... human-readable text goes here, invisible to JavaScript-enabled browsers ...
</noscript>
Also, I see that it is ever so careful to set "p" to the proper value ... then it never uses "p". How strange.
Normally I just ignore bad JavaScript. But since this person is trying to get this snippet of code attached to the bottom of many, many web pages, should I clue this person in that there is a better way?