Client-Side Web Scripting • allows programs (i.e., scripts) to be downloaded from the web server

and executed on the client (i.e., browser) • common client-side scripting technologies:

o JavaScript, ECMAScript, JScript o VBScript, ActionScript o Java applets, ActiveX controls, Flash animations

• common uses: o dynamic (X)HTML

page embellishments and special visual “effects”, content generation and manipulation, user interaction, document and page navigation, etc.

o form validation o asynchronous/partial content retrieval, RIA technologies (e.g.,

AJAX) • common issues:

o browser support no scripting support scripting disabled plugin availability

o version incompatibilities, non-standard implementations o capability restrictions

scripting languages are not general-purpose programming languages

e.g., JavaScript is restricted by the sandbox execution model and the same origin policy

o security risks browser implementation defects (e.g., buffer overflows) e.g., for JavaScript, cross-site scripting (XSS) or cross-site

request forgery (XSRF) issues malicious ActiveX controls

JavaScript

• developed by Brendan Eich at Netscape Communications as the scripting language for the Netscape Navigator browser

• formerly called Mocha, then LiveScript, then JavaScript • standardized by Ecma International as ECMAScript • latest version: JavaScript 1.8 • common version: JavaScript 1.5, JScript 5.5, ECMAScript v3 (ECMA-

262 3rd edition)

• linked/embedded in web pages using the <script> element o linked:

<script type=”text/javascript” src=”scripts.js” />

o embedded (either in the <head> or the <body> element): <script type=”text/javascript”> <!-- hide script from non-JavaScript browsers... /* script code goes here... */ // end of script hiding... --> </script>

• JavaScript + DOM/BOM + CSS + (X)HTML = DHTML • basic language features:

o paradigm: object-oriented (prototype-based), functional, imperative,

scripting language o Java-/C-like syntax:

implicit semicolon insertion for statement termination identifiers use alphanumeric, _, and $ characters case-sensitive keywords and identifiers single-line (//) or block (/* */) comments

o type system and variable scoping rules: dynamic (a.k.a. loose or weak) typing global (a.k.a. top-level) or local scopes data types:

• primitive types o numbers (decimal, hexadecimal notation) o booleans (true, false) o strings (single or double quote delimited) o undefined and null

• composite (object) types o core JavaScript objects

Object, Number, Boolean, String, Date, Math, Global, RegExp, Error

arrays (Array) functions (Function, Arguments)

o client-side JavaScript objects Window, Navigator, Screen, Document, Location, History

Anchor, Applet, Attr, Comment, DOMException, DOMImplementation, DocumentFragment, Element, Event, Form, Image, Input, Layer, Link, Node, Option, Select, Style, Text, TextArea

o keywords: break, case, catch, continue, default, delete, do, else, false, finally, for, function, if, in, instanceof, new, null, return, switch, this, throw, true, try, typeof, var, void, while, with

o reserved words (for possible future language extensions): abstract, boolean, byte, char, class, const, debugger, double, enum, export, extends, final, float, goto, implements, import, int, interface, long, native, package, private, protected, public, short, static, super, synchronized, throws, transient, volatile

o operators . [] () new ++ -- + - * / % = compound assignment operators == != < <= > >= === !== && || ! & | ^ ~ << >> >>> ?: , delete typeof instanceof in void

o statements and control structures var if-else

• condition expressions having values of 0, ””, null, and undefined evaluate to false

switch-case-default-break • allows any expression type as the switch expression • can use expressions as case labels • with fall-through functionality

while, do-while, for, for-in, break, continue try-catch-finally, throw

• throw and catch can handle any expression type function, return with