JavaScript: Difference between revisions

Line 11:

'''[[wikipedia:JavaScript|JavaScript]]''' ('''JS''') is a [[wikipedia:Programming_language|programming language]] and core technology of [[wikipedia:World_Wide_Web|the Web]], alongside [[wikipedia:HTML|HTML]] and [[wikipedia:CSS|CSS]]. It was created by [[wikipedia:Brendan_Eich|Brendan Eich]] in 1995.<ref>https://exploringjs.com/es5/ch04.html</ref> As of 2025, the overwhelming majority of [[wikipedia:Website|websites]] (98.9%) uses JS for [[wikipedia:Client_(computing)|client]]-side [[wikipedia:Web_page|webpage]] behavior.<ref name="deployedstats">{{cite web |title=Usage Statistics of JavaScript as Client-side Programming Language on Websites |url=https://w3techs.com/technologies/details/cp-javascript |access-date=2024-02-27 |website=W3Techs }}</ref> It's even used on the [[wikipedia:Server_(computing)|server]]-side (see [[wikipedia:Node.js|Node.js]]).

== Consumer-impact summary ==

==Consumer-impact summary==

*'''Forced requirement''': Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. In 2026, considering the advancements in HTML and CSS technology, there is minimal reason why an average website (excluding real-time simulations and low-latency gaming) would ''ever'' need JS. The only valid justification are [[wikipedia:Legacy_code|legacy code-bases]], as those are impractical to migrate to no-JS solutions.

*'''Degraded accessibility''': Dynamic and/or active content is well-known to have poor accessibility for users with visual and/or cognitive impairments. While standards such as [[wikipedia:WAI-ARIA|WAI-ARIA]] were created to mitigate this, it's no silver bullet, especially when developers aren't aware of ARIA.

*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].

Line 21:

Line 20:

*'''Security risks''': JS is well-known for being a poorly-designed tool.<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://wiki.theory.org/YourLanguageSucks#JavaScript_sucks_because</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that JS is [[wikipedia:Turing_completeness|Turing-complete]] (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]) is a recipe for disaster, as it makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].

== How it works ==

==How it works==

Whenever a user visits a webpage, an average web-browser will execute the JS code it finds in <code><script></code> [[wikipedia:HTML_element|tags]]. This code could do anything from updating part of the page only when the user requests it, to showing a [[wikipedia:Pop-up_ad|popup/popunder]].

When JS tries to access a "privacy-sensitive" Web API (such as the microphone) the browser pauses it until the user has granted access to that API. This is typically done on a per-domain basis. However, as mentioned earlier, many other APIs don't need to ask permission before fetching data.

== Why it is a problem ==

==Why it is a problem==

Note that, despite its flaws, JS typically is not a problem on its own, but it becomes a problem when given too much power.

Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. In 2026, considering the advancements in HTML and CSS technology, there is minimal reason why an average website (excluding real-time simulations and low-latency gaming) would ''ever'' need JS. The only valid justification are [[wikipedia:Legacy_code|legacy code-bases]], as those are impractical to migrate to no-JS solutions.

Expanding on the security risks, these are the most common vulnerabilities found in JS code:

*[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate

@@ Line 11: / Line 11: @@
 '''[[wikipedia:JavaScript|JavaScript]]''' ('''JS''') is a [[wikipedia:Programming_language|programming language]] and core technology of [[wikipedia:World_Wide_Web|the Web]], alongside [[wikipedia:HTML|HTML]] and [[wikipedia:CSS|CSS]]. It was created by [[wikipedia:Brendan_Eich|Brendan Eich]] in 1995.<ref>https://exploringjs.com/es5/ch04.html</ref> As of 2025, the overwhelming majority of [[wikipedia:Website|websites]] (98.9%) uses JS for [[wikipedia:Client_(computing)|client]]-side [[wikipedia:Web_page|webpage]] behavior.<ref name="deployedstats">{{cite web |title=Usage Statistics of JavaScript as Client-side Programming Language on Websites |url=https://w3techs.com/technologies/details/cp-javascript |access-date=2024-02-27 |website=W3Techs }}</ref> It's even used on the [[wikipedia:Server_(computing)|server]]-side (see [[wikipedia:Node.js|Node.js]]).
-== Consumer-impact summary ==
+==Consumer-impact summary==
-*'''Forced requirement''': Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. In 2026, considering the advancements in HTML and CSS technology, there is minimal reason why an average website (excluding real-time simulations and low-latency gaming) would ''ever'' need JS. The only valid justification are [[wikipedia:Legacy_code|legacy code-bases]], as those are impractical to migrate to no-JS solutions.
 *'''Degraded accessibility''': Dynamic and/or active content is well-known to have poor accessibility for users with visual and/or cognitive impairments. While standards such as [[wikipedia:WAI-ARIA|WAI-ARIA]] were created to mitigate this, it's no silver bullet, especially when developers aren't aware of ARIA.
 *'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].
@@ Line 21: / Line 20: @@
 *'''Security risks''': JS is well-known for being a poorly-designed tool.<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://wiki.theory.org/YourLanguageSucks#JavaScript_sucks_because</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that JS is [[wikipedia:Turing_completeness|Turing-complete]] (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]) is a recipe for disaster, as it makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].
-== How it works ==
+==How it works==
 Whenever a user visits a webpage, an average web-browser will execute the JS code it finds in <code><script></code> [[wikipedia:HTML_element|tags]]. This code could do anything from updating part of the page only when the user requests it, to showing a [[wikipedia:Pop-up_ad|popup/popunder]].
 When JS tries to access a "privacy-sensitive" Web API (such as the microphone) the browser pauses it until the user has granted access to that API. This is typically done on a per-domain basis. However, as mentioned earlier, many other APIs don't need to ask permission before fetching data.
-== Why it is a problem ==
+==Why it is a problem==
+Note that, despite its flaws, JS typically is not a problem on its own, but it becomes a problem when given too much power.
+Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. In 2026, considering the advancements in HTML and CSS technology, there is minimal reason why an average website (excluding real-time simulations and low-latency gaming) would ''ever'' need JS. The only valid justification are [[wikipedia:Legacy_code|legacy code-bases]], as those are impractical to migrate to no-JS solutions.
 Expanding on the security risks, these are the most common vulnerabilities found in JS code:
 *[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate