I think it would be better to not conflate language and runtime issues. For example, one can improve language misfeatures such as semicolon insertion, lack of built-in name pacing, etc. Even when you improved this, you would still want to improve the (browser + DOM) architecture/runtime, but in many cases these are orthogonal concerns.
The global scope thing is not entierly true, you can use closures to minimize the global scope usage.<p>The problem is not that bad:
- on the server side, always sanitize user input
- only put script tags from places you trust
Since this old presentation of mine has resurfaced (first on Reddit and now here), here's the comment I made on Reddit:<p><pre><code> A good companion to this presentation is Douglas
Crockford's presentation on JavaScript security:
http://javascript.crockford.com/security.ppt (Warning:
PowerPoint).
He makes similar points about the security of JavaScript
and comes up with a different solution. He proposes doing
away with most of JavaScript and allowing only a
safe-subset of the language to be used."
</code></pre>
As a follow-up I had proposed signing of <SCRIPT> tags: <a href="http://blog.jgc.org/2009/09/solving-xss-problem-by-signing-tags.html" rel="nofollow">http://blog.jgc.org/2009/09/solving-xss-problem-by-signing-t...</a>