Javascript security

I think it would be better to not conflate language and runtime issues. For example, one can improve language misfeatures such as semicolon insertion, lack of built-in name pacing, etc. Even when you improved this, you would still want to improve the (browser + DOM) architecture/runtime, but in many cases these are orthogonal concerns.

The global scope thing is not entierly true, you can use closures to minimize the global scope usage.<p>The problem is not that bad: - on the server side, always sanitize user input - only put script tags from places you trust

Since this old presentation of mine has resurfaced (first on Reddit and now here), here's the comment I made on Reddit:<p><pre><code> A good companion to this presentation is Douglas Crockford's presentation on JavaScript security: http://javascript.crockford.com/security.ppt (Warning: PowerPoint). He makes similar points about the security of JavaScript and comes up with a different solution. He proposes doing away with most of JavaScript and allowing only a safe-subset of the language to be used." </code></pre> As a follow-up I had proposed signing of &#60;SCRIPT&#62; tags: <a href="http://blog.jgc.org/2009/09/solving-xss-problem-by-signing-tags.html" rel="nofollow">http://blog.jgc.org/2009/09/solving-xss-problem-by-signing-t...</a>