RFD: How To Recognize Bad Javascript Code

#21

In comp.lang.javascript message <fldvt4$r4m$1 (AT) registered (DOT) motzarella.org>
, Tue, 1 Jan 2008 13:13:51, Anthony Levensalor
<anthony (AT) mypetprogrammer (DOT) com> posted:

Quote:

Thomas 'PointedEars' Lahn posted :

Are you a programmer or an English teacher? Oh, you're both! That would
explain a whole bunch.

It is commonly considered polite and prudent to read a newsgroup for a
while *before* posting to it. If you had done that, you would have
known about Thomas Lahn.

--
(c) John Stockton, Surrey, UK. ???@merlyn.demon.co.uk Turnpike v6.05 MIME.
Web <URL:http://www.merlyn.demon.co.uk/> - FAQish topics, acronyms, & links.
Check boilerplate spelling -- error is a public sign of incompetence.
Never fully trust an article from a poster who gives no full real name.

#22

AKS said the following on 1/1/2008 2:03 PM:

Quote:

On Jan 1, 11:30 pm, Randy Webb <HikksNotAtH... (AT) aol (DOT) com> wrote:

Things you didn't cover:
...
Use of "new Function".

Is there anything wrong with use of "new Function"?

Other than it is an equivalent to eval?

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

#23

Jeremy J Starcher posted :

Quote:

Not to name names, but had I the skill to recognize
URL: http://www.dynamicdrive.com/ > for what it was, I wouldn't have had
to unlearn so much.

I'm just heading down that "re-learning everything I thought I knew"
path in Javascript because of that and sites like it. Thanks for not
wanting anyone else to go through this, it's not fun.

~A!

#24

Anthony Levensalor wrote:

Quote:

First, I liked your doc, and the comments on it so far have taught me a
lot.

But you despise the people that made them? Something doesn't add up here.

Quote:

I haven't commented because I lack the experience to intelligently do so

That much is obvious.

Quote:

As for Thomas, I was sniping. He irritates me. I really didn't want to do
anything in that post but irritate him,

If you do think that could do any good, you are using the wrong medium.
You are back out of my killfile, for now, but scored Lowest.

Quote:

apologies for sidetracking the discussion of your work.

You are apologizing to the wrong person.

Quote:

I hate to see someone put so much effort and labor into something to have
someone be so callous about it.

You missed:

,-<477A71FF.6000209 (AT) PointedEars (DOT) de>

Quote:

[...]
Is my basic goal flawed?

I don't think so. I think it would make a fine addition to the FAQ after
careful evaluation.

Is code bad in so many different ways

You can bet on that.

that I should just pack up shop and forget this?

No, it's a good start.

PointedEars
--
var bugRiddenCrashPronePieceOfJunk = (
navigator.userAgent.indexOf('MSIE 5') != -1
&& navigator.userAgent.indexOf('Mac') != -1
) // Plone, register_function.js:16

#25

Thomas 'PointedEars' Lahn posted :

Quote:

If you do think that could do any good, you are using the wrong medium.
You are back out of my killfile, for now, but scored Lowest.

Could you put me back in?

~A!

#26

Jeremy J Starcher said the following on 1/1/2008 2:38 PM:

Quote:

On Tue, 01 Jan 2008 13:30:25 -0500, Randy Webb wrote:

<snip>

Quote:

href:javascript.
Drop #1, they all fall into the "Too stupid to know better" category.

If this were directed at coders, I'd agree. I'm trying to aim this paper
more at people getting into looking at/learning Javascript and maybe help
them avoid a lot of the crap I waded through.

I still think the 1. falls into the 2. category.

Quote:

Thomas had a few comments that have been thinking over the eval issue.
I'm still pondering.. but you bring up valid points as well.

One thing to consider with eval and search engines. I think it is a
straw man's argument. 10 years ago, you couldn't find a bot that
processed scripts. Using eval to "hide scripts from a search engine"
just doesn't hold water.

Quote:

The use of the "with" operator.
Food for thought. I've avoided the with operator since the ancient days
of Pascal, so I don't even see code in it. Barely aware that JS had one.

It has a severely broken/crippled with operator.

Quote:

Use of "new Function".
I don't see this one too often.

It is old school programming at best.

Quote:

There are, inevitably, more things you didn't cover.

Personally, I think a "Best Methods" document is of far more value than
a "Bad Methods" document. Then, you aren't showing people bad ways to do
things, you are showing them the best ways to do things. And even though
I don't agree, totally, with Matt's, I keep it in my signature for that
very reason.

I won't quibble the need for a "Best Methods" document, but I was trying
to fill a different need. I see a "Best Methods" as a document aimed at
coders. I'm trying to aim at people who don't code yet.

Then what would serve them better is a good, solid tutorial.

Quote:

It is my goal to have an easy-to-understand list of things that should
throw up red flags when you see them in code. If too many code snippets
have these red flags, skip onto the next site.

Sadly enough, 99.99% of sites on the web fall into that category. I hold
out that 0.001% in the hopes that a decent tutorial site does exist.

Quote:

Not to name names, but had I the skill to recognize
URL: http://www.dynamicdrive.com/ > for what it was, I wouldn't have had
to unlearn so much.

Some of the first copy/paste scripts I ever used came from there. It
took a while for me to understand what was wrong with them. The first
tutorial I ever went through (web-based) was on the HTMLGoodies site
when Joe Burns was writing them. Not the best quality but at the time
the best I could find. Was enough to "Get my feet wet" and obtain the
desire to know more.

Now, I wish a good one did exist.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

#27

Anthony Levensalor said the following on 1/1/2008 3:31 PM:

Quote:

Thomas 'PointedEars' Lahn posted :

If you do think that could do any good, you are using the wrong medium.
You are back out of my killfile, for now, but scored Lowest.

Could you put me back in?

My life is so much calmer since he kill-filed me. I hope I stay there
forever.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

#28

On Tue, 01 Jan 2008 19:43:15 +0100, Thomas 'PointedEars' Lahn wrote:

Quote:

Jeremy J Starcher wrote:
On Tue, 01 Jan 2008 18:01:51 +0100, Thomas 'PointedEars' Lahn wrote:
d. "JavaScript1.2" actually means something in NN4; ask Google.
I have never seen anyone using "JavaScript1.3", though.

I didn't know if that was backwards compatible to browsers today or not.
If memory serves me correctly, it changes some of the array methods.

Care to elaborate?

The bottom section of this page:

<URL: http://bclary.com/2004/08/27/javascr...ompatibilities >
and
<URL:
http://books.google.com/books?id=xn5...FijvaXLV72CwIa >

(Sorry for the URL lengths.) Memory says there was one other issue
regarding arrays and Javascript1.2, but I can't recall now.

Quote:

2. 'Using "href:javascript"'

[...]
There are other points that I have also mentioned in my FAQ
notes last year. There are also exceptions to be made in
special cases.

Wow. You know stuff I didn't even know I didn't know. Those are enough
of an edge-case I doubt I will include them in this article though. Its
not the sort of thing most folks will find looking for code snippets.

Quote:

A reasoning for the statement that the security concerns could be
easily addressed is missing.

I'll toss in this link: <URL: http://www.json.org/json2.js > In my
reading, I haven't heard of anyone finding holes in it.

I know the JSON reference implementation but I don't see how that would
provide a reason for your statement that it would be easy to address
security concerns that using eval() with JSON would introduce. Care to
elaborate?

Either we are talking cross-purposes here, or I am really missing
something. It is my understanding that the JSON.parser has enough
checking to filter out anything that isn't data and therefore it "easily
addresses the security concerns that using eval()" introduces.

#29

On Tue, 01 Jan 2008 15:32:47 -0500, Randy Webb wrote:

Quote:

Jeremy J Starcher said the following on 1/1/2008 2:38 PM:
On Tue, 01 Jan 2008 13:30:25 -0500, Randy Webb wrote:
Not to name names, but had I the skill to recognize
URL: http://www.dynamicdrive.com/ > for what it was, I wouldn't have had
to unlearn so much.

Some of the first copy/paste scripts I ever used came from there. It
took a while for me to understand what was wrong with them. The first
tutorial I ever went through (web-based) was on the HTMLGoodies site
when Joe Burns was writing them. Not the best quality but at the time
the best I could find. Was enough to "Get my feet wet" and obtain the
desire to know more.

Now, I wish a good one did exist.

I know the "Code Worth Recommending Project" has taken on some of that.
They are going through some growth pains and sorting out some of the
basics. I'd be willing to donate code once they are ready for
higher-level functions.

As for a good tutorial: I've actually thought about writing one. Its
been over a decade since I've done any real technical writing, but I think
I could find the touch again. Like all of us, the trouble is time. With
all the crap on the market, I don't know if my book would actually -sell-
and I'd feel obligated to c.l.j for at least -part- of the money I made on
the second edition, because the first edition will be red-lettered to
death from you guys. *grin* Not a bad thing, but I can't easily post a
credit-card number here and say 'Withdraw what you earned.'

#30

On Tue, 01 Jan 2008 13:38:43 -0500, Randy Webb wrote:

[regarding javascript: protocol]

Quote:

The group FAQ, and the Notes pages on it, cover just about every aspect
of javascript: protocols.

I'll re-read the FAQ again, thanks.

Quote:

try/catch is another of the things you didn't cover. Don't use it.

I've not used try/catch in Javascript myself, but I've done reading on it.

According to <URL: http://www.w3schools.com/js/js_try_catch.asp >
try...catch statement is available in IE5+, Mozilla 1.0, and
Netscape 6. Googling says Opera and KHTML both have it.

I don't understand the concern ... are there common browsers out there
that don't support it? I've heard rumors about mobile devices, but
nothing concrete.

c2a5de32-b97d-463c-aee7-21fecd3f0b7b...oglegroups.com

would seem to dictate that is the case.