The following features are common to all conforming ECMAScript implementations, unless explicitly specified otherwise.
Imperative and structured
As in most scripting languages, types are associated with values, not variables. For example, a variable
obj.x = 10 and
obj["x"] = 10 are equivalent, the dot notation being syntactic sugar. Properties and their values can be added, changed, or deleted at run-time. Most properties of an object (and those on its prototype inheritance chain) can be enumerated using a
Functions are first-class; they are objects themselves. As such, they have properties and can be passed around and interacted with like any other object.
inner functions and closures
functions as object constructors
Functions double as object constructors along with their typical role. Prefixing a function call with
new creates a new object and calls that function with its local
this keyword bound to that object for that invocation. The constructor’s
Array, also have prototypes that can be modified.
functions as methods
Unlike many object-oriented languages, there is no distinction between a function definition and a method definition. Rather, the distinction occurs during function calling; a function can be called as a method. When a function is called as a method of an object, the function’s local
this keyword is bound to that object for that invocation.
An indefinite number of parameters can be passed to a function. The function can access them through formal parameters and also through the local
array and object literals
Like many scripting languages, arrays and objects (associative arrays in other languages) can each be created with a succinct shortcut syntax. In fact, these literals form the basis of the JSON data format.
- property getter and setter functions (also supported by WebKit, Opera, ActionScript, and Rhino)
- iterator protocol adopted from Python
- shallow generators/coroutines also adopted from Python
- array comprehensions and generator expressions also adopted from Python
- proper block scope via new
- array and object destructuring (limited form of pattern matching)
- concise function expressions (
Syntax and semantics
The output is:
LCMCalculator: a = 28, b = 56, gcd = 28, lcm = 56 LCMCalculator: a = 21, b = 56, gcd = 7, lcm = 168 LCMCalculator: a = 25, b = 55, gcd = 5, lcm = 275 LCMCalculator: a = 22, b = 58, gcd = 2, lcm = 638
Use in web pages
- Opening or popping up a new window with programmatic control over the size, position, and attributes of the new window (e.g. whether the menus, toolbars, etc. are visible).
- Validation of web form input values to make sure that they will be accepted before they are submitted to the server.
- Changing images as the mouse cursor moves over them: This effect is often used to draw the user’s attention to important links displayed as graphical elements.
Main articles: Web Interoperability and Web accessibility
Furthermore, scripts will not work for all users. For example, a user may:
- use an old or rare browser with incomplete or unusual DOM support,
- or be visually or otherwise disabled and use a speech browser
Main articles: Cross-site scripting and Cross-site request forgery
XSS vulnerabilities can also occur because of implementation mistakes by browser authors.
Another cross-site vulnerability is cross-site request forgery or CSRF. In CSRF, code on an attacker’s site tricks the victim’s browser into taking actions the user didn’t intend at a target site (like transferring money at a bank). It works because, if the target site relies only on cookies to authenticate requests, then requests initiated by code on the attacker’s site will carry the same legitimate login credentials as requests initiated by the user. In general, the solution to CSRF is to require an authentication value in a hidden form field, and not only in the cookies, to authenticate any request that might have lasting effects. Checking the HTTP Referrer header can also help.
Modern web browsers now integrate features to prevent XSS attacks.
Misplaced trust in the client
Browser and plugin coding errors
These flaws have affected major browsers including Firefox, Internet Explorer,and Safari.
In Windows Vista, Microsoft has attempted to contain the risks of bugs such as buffer overflows by running the Internet Explorer process with limited privileges. Google Chrome similarly limits page renderers to an operating-system-enforced “sandbox.”
Sandbox implementation errors
Uses outside web pages
- ActionScript, the programming language used in Adobe Flash, is another implementation of the ECMAScript standard.
- The Java programming language, in version SE 6 (JDK 1.6), introduced the
- The Qt C++ toolkit includes a
MacOSobject for interaction with the operating system and third-party applications.
- ECMAScript was included in the VRML97 standard for scripting nodes of VRML scene description files.
- Maxwell Render provides an ECMA standard based scripting engine for tasks automation.
- Google Docs Spreadsheet has a script editor which allows users to create custom formulas, automate repetitive tasks and also interact with other Google products such as Gmail.
Script debuggers are available for Internet Explorer, Firefox, Safari, Google Chrome, and Opera.
Opera includes a set of tools called DragonFly.