Type of format
Part of a series on
Lists of Frameworks and Libraries
high-level, interpreted programming language. It is a language which
is also characterized as dynamic, weakly typed, prototype-based and
HTML and CSS,
core technologies of
World Wide Web
World Wide Web content engineering. It is used to
make dynamic webpages interactive and provide online programs,
including video games. The majority of websites employ it, and all
modern web browsers support it without the need for plug-ins by means
of a built-in
ECMAScript specification, with some engines not supporting the spec
fully, and with many engines supporting additional features beyond
As a multi-paradigm language,
functional, and imperative (including object-oriented and
prototype-based) programming styles. It has an
API for working with
text, arrays, dates, regular expressions, and basic manipulation of
the DOM, but the language itself does not include any I/O, such as
networking, storage, or graphics facilities, relying for these upon
the host environment in which it is embedded.
engines are now embedded in many other types of host software,
including server-side in web servers and databases, and in non-web
programs such as word processors and PDF software, and in runtime
environments that make
desktop applications, including desktop widgets.
Although there are strong outward similarities between
Java, including language name, syntax, and respective standard
libraries, the two languages are distinct and differ greatly in
Self and Scheme.
1.1 Beginnings at Netscape
1.3 Adoption by Microsoft
1.5 Later developments
4.1 Universal support
4.2 Imperative and structured
4.4 Prototype-based (object-oriented)
4.8 Vendor-specific extensions
5.1 Simple examples
5.2 More advanced example
6 Use in Web pages
6.1 Example script
6.2 Compatibility considerations
7.1 Cross-site vulnerabilities
7.2 Misplaced trust in the client
7.3 Misplaced trust in developers
7.4 Browser and plugin coding errors
7.5 Sandbox implementation errors
7.6 Hardware vulnerabilities
8 Uses outside Web pages
8.1 Embedded scripting language
8.2 Scripting engine
8.3 Application platform
9 Development tools
10 Benchmark tools for developers
11 Version history
12 Related languages and technologies
12.1 Use as an intermediate language
13 See also
15 Further reading
16 External links
Beginnings at Netscape
In 1993, the
National Center for Supercomputing Applications
National Center for Supercomputing Applications (NCSA), a
unit of the University of Illinois at Urbana-Champaign, released NCSA
Mosaic, the first popular graphical Web browser, which played an
important part in expanding the growth of the nascent World Wide Web.
In 1994, a company called Mosaic Communications was founded in
Mountain View, California
Mountain View, California and employed many of the original NCSA
Mosaic authors to create Mosaic Netscape. However, it intentionally
shared no code with NCSA Mosaic. The internal codename for the
company's browser was Mozilla, which stood for "Mosaic killer", as the
company's goal was to displace NCSA Mosaic as the world's number one
web browser. The first version of the Web browser, Mosaic Netscape
0.9, was released in late 1994. Within four months it had already
taken three-quarters of the browser market and became the main browser
for the Internet in the 1990s. To avoid trademark ownership problems
with the NCSA, the browser was subsequently renamed
in the same year, and the company took the name Netscape
Netscape Communications realized that the Web needed
to become more dynamic. Marc Andreessen, the founder of the company
HTML needed a "glue language" that was easy to use by
Web designers and part-time programmers to assemble components such as
images and plugins, where the code could be written directly in the
Web page markup.
Netscape Communications recruited
Brendan Eich with the goal
of embedding the Scheme programming language into its Netscape
Navigator. Before he could get started,
Sun Microsystems to include in
Sun's more static programming language Java, in order to compete with
Microsoft for user adoption of Web technologies and platforms.
Netscape Communications then decided that the scripting language they
wanted to create would complement Java and should have a similar
syntax, which excluded adopting other languages such as Perl, Python,
TCL, or Scheme. To defend the idea of
proposals, the company needed a prototype. Eich wrote one in 10 days,
in May 1995.
Although it was developed under the name Mocha, the language was
LiveScript when it first shipped in beta releases of
Netscape Navigator 2.0 in September 1995, but it was renamed
Netscape Navigator 2.0 beta
3 in December. The final choice of name caused confusion, giving
the impression that the language was a spin-off of the Java
programming language, and the choice has been characterized as a
marketing ploy by
Netscape to give
then the hot new Web programming language.
There is a common misconception that
earlier Web page scripting language developed by Nombas named Cmm (not
to be confused with the later
C-- created in 1997). Brendan
Eich, however, had never heard of Cmm before he created
LiveScript. Nombas did pitch their embedded Web page scripting to
Netscape, though Web page scripting was not a new concept, as shown by
ViolaWWW Web browser. Nombas later switched to offering
the TC39 group that standardized ECMAScript.
In December 1995, soon after releasing
Netscape introduced an implementation of the language for server-side
Netscape Enterprise Server.
Since 1996, the IIS web-server has supported Microsoft's
JScript -- in ASP and
Since the mid-2000s, additional server-side
have been introduced, such as
Node.js in 2009.
Adoption by Microsoft
Microsoft script technologies including
released in 1996. JScript, a reverse-engineered implementation of
Internet Explorer 3.
also available for server-side scripting in Internet Information
Internet Explorer 3
Internet Explorer 3 also included Microsoft's first support
CSS and various extensions to HTML, but in each case the
implementation was noticeably different to that found in Netscape
Navigator at the time. These differences made it difficult for
designers and programmers to make a single website work well in both
browsers, leading to the use of "best viewed in Netscape" and "best
viewed in Internet Explorer" logos that characterized these early
years of the browser wars.
reputation for being one of the roadblocks to a cross-platform and
standards-driven Web. Some developers took on the difficult task of
trying to make their sites work in both major browsers, but many could
not afford the time. With the release of
Internet Explorer 4,
Microsoft introduced the concept of Dynamic HTML, but the differences
in language implementations and the different and proprietary Document
Object Models remained and were obstacles to widespread take-up of
In November 1996,
to carve out a standard specification, which other browser vendors
could then implement based on the work done at Netscape. This led to
the official release of the language specification ECMAScript
published in the first edition of the ECMA-262 standard in June 1997,
JScript are other well-known implementations of
The standards process continued in cycles, with the release of
ECMAScript 2 in June 1998, which brings some modifications to conform
to the ISO/IEC 16262 international standard. The release of ECMAScript
3 followed in December 1999, which is the baseline for modern day
ECMAScript 4 work led by Waldemar Horwat
(then at Netscape, now at Google) started in 2000 and at first,
Microsoft seemed to participate and even implemented some of the
proposals in their
JScript .NET language.
Over time it was clear though that
Microsoft had no intention of
cooperating or implementing proper
even though they had no competing proposal and they had a partial (and
diverged at this point) implementation on the
.NET server side. So by
2003, the original
ECMAScript 4 work was mothballed.
The next major event was in 2005, with two major happenings in
Brendan Eich and
Mozilla rejoined Ecma
International as a not-for-profit member and work started on
XML (E4X), the ECMA-357 standard, which came from
Microsoft employees at
BEA Systems (originally acquired as
Crossgain). This led to working jointly with
acquired by Adobe Systems), who were implementing
E4X in ActionScript
ActionScript 3 was a fork of original
So, along with Macromedia, work restarted on
ECMAScript 4 with the
goal of standardizing what was in
ActionScript 3. To this end, Adobe
Systems released the
ActionScript Virtual Machine 2, code named
Tamarin, as an open source project. But Tamarin and
were too different from web
the parties in 2007 and 2008.
Alas, there was still turmoil between the various players; Douglas
Crockford—then at Yahoo!—joined forces with
Microsoft in 2007 to
ECMAScript 4, which led to the
ECMAScript 3.1 effort. The
ECMAScript 4 was never completed, but that work
influenced subsequent versions.
While all of this was happening, the open source and developer
communities set to work to revolutionize what could be done with
Garrett released a white paper in which he coined the term Ajax, and
described a set of technologies, of which
used to create web applications where data can be loaded in the
background, avoiding the need for full page reloads and leading to
more dynamic applications. This resulted in a renaissance period of
communities that formed around them, with libraries such as Prototype,
jQuery, Dojo Toolkit, MooTools, and others being released.
In July 2008, the disparate parties on either side came together in
Oslo. This led to the eventual agreement in early 2009 to rename
ECMAScript 3.1 to
ECMAScript 5 and drive the language forward using an
agenda that is known as Harmony.
ECMAScript 5 was finally released in
In June 2011,
ECMAScript 5.1 was released to fully align with the
third edition of the ISO/IEC 16262 international standard. ECMAScript
2015 was released in June 2015.
ECMAScript 2016 was released in June
2016. The current version is
ECMAScript 2017, released in June
the Web. Initially, however, many professional programmers denigrated
the language because, among other reasons, its target audience
consisted of Web authors and other such "amateurs". The advent of
professional programming attention. The result was a proliferation of
programming practices, and increased usage of
browsers, as seen by the proliferation of
In January 2009, the
CommonJS project was founded with the goal of
specifying a common standard library mainly for
outside the browser.
it is increasingly being used as a compile target for source-to-source
compilers from both dynamic languages and static languages.
Oracle Corporation in the United
States. It is used under license for technology invented and
Netscape Communications and current entities such as
The terms Vanilla
extended by any frameworks or additional libraries. Scripts written in
Vanilla JS are plain
The following features are common to all conforming ECMAScript
implementations, unless explicitly specified otherwise.
All modern Web browsers support
Imperative and structured
(e.g., if statements, while loops, switch statements, do while loops,
etc.). One partial exception is scoping:
only function scoping with var.
ECMAScript 2015 added keywords let and
const for block scoping, meaning
block scoping. Like C,
expressions and statements. One syntactic difference from C is
automatic semicolon insertion, which allows the semicolons that would
normally terminate statements to be omitted.
As with most scripting languages,
type is associated with each value, rather than just with each
expression. For example, a variable that is at one time bound to a
number may later be re-bound to a string.
various ways to test the type of an object, including duck typing.
provided as strings at run-time.
is an associative array, augmented with a prototype (see below); each
string key provides the name for an object property, and there are two
syntactical ways to specify such a name: dot notation
(obj.x = 10) and bracket notation (obj['x'] = 10).
A property may be added, rebound, or deleted at run-time. Most
properties of an object (and any property that belongs to an object's
prototype inheritance chain) can be enumerated using a for...in loop.
use classes for inheritance. It is possible to simulate many
Functions as object constructors
Functions double as object constructors, along with their typical
role. Prefixing a function call with new will create an instance of a
prototype, inheriting properties and methods from the constructor
(including properties from the Object prototype).
offers the Object.create method, allowing explicit creation of an
instance without automatically inheriting from the Object prototype
(older environments can assign the prototype to null). The
constructor's prototype property determines the object used for the
new object's internal prototype. New methods can be added by modifying
built-in constructors, such as Array or Object, also have prototypes
that can be modified. While it is possible to modify the Object
prototype, it is generally considered bad practice because most
Object prototype, and they may not expect the prototype to be
Functions as methods
Unlike many object-oriented languages, there is no distinction between
a function definition and a method definition. Rather, the distinction
occurs during function calling; when a function is called as a method
of an object, the function's local this keyword is bound to that
object for that invocation.
A function is first-class; a function is considered to be an object.
As such, a function may have properties and methods, such as .call()
and .bind(). A nested function is a function defined within
another function. It is created each time the outer function is
invoked. In addition, each nested function forms a lexical closure:
The lexical scope of the outer function (including any constant, local
variable, or argument value) becomes part of the internal state of
each inner function object, even after execution of the outer function
Functions as roles (Traits and Mixins)
Role patterns like Traits and Mixins. Such a function
defines additional behavior by at least one method bound to the this
keyword within its function body. A Role then has to be delegated
explicitly via call or apply to objects that need to feature
additional behavior that is not shared via the prototype chain.
Object composition and inheritance
Whereas explicit function-based delegation does cover composition in
prototype chain is walked in order to, e.g., find a method that might
be related to but is not directly owned by an object. Once the method
is found it gets called within this object's context. Thus inheritance
the prototype property of constructor functions.
browser) to provide objects and methods by which scripts can interact
with the environment (e.g., a webpage DOM). It also relies on the
run-time environment to provide the ability to include/import scripts
HTML <script> elements). This is not a language feature
per se, but it is common in most
a new message,
message, which creates a call stack frame (the function's arguments
and local variables). The call stack shrinks and grows based on the
function's needs. Upon function completion, when the stack is empty,
the event loop, described as "run to completion" because each message
is fully processed before the next message is considered. However, the
language's concurrency model describes the event loop as non-blocking:
program input/output is performed using events and callback functions.
This means, for instance, that
while waiting for a database query to return information.
An indefinite number of parameters can be passed to a function. The
function can access them through formal parameters and also through
the local arguments object.
Variadic functions can also be created by
using the bind method.
Array and object literals
Like many scripting languages, arrays and objects (associative arrays
in other languages) can each be created with a succinct shortcut
syntax. In fact, these literals form the basis of the
Perl, which provide a concise and powerful syntax for text
manipulation that is more sophisticated than the built-in string
Mozilla Foundation, and new
language features are added periodically. However, only some
property getter and setter functions (supported by WebKit, Gecko,
Opera, ActionScript, and Rhino)
conditional catch clauses
iterator protocol (adopted from Python)
shallow generators-coroutines (adopted from Python)
array comprehensions and generator expressions (adopted from Python)
proper block scope via the let keyword
array and object destructuring (limited form of pattern matching)
concise function expressions (function(args) expr)
XML (E4X), an extension that adds native
XML support to
ECMAScript (unsupported in
Firefox since version 21)
var x; // defines the variable x and assigns to it the special value
"undefined" (not to be confused with an undefined value)
var y = 2; // defines the variable y and assigns to it the value 2
var z = "Hello, World!"; // defines the variable z and assigns to it a
string containing "Hello, World!"
Note the comments in the example above, all of which were preceded
with two forward slashes.
environment provides that. The
ECMAScript specification in edition 5.1
… indeed, there are no provisions in this specification for input of
external data or output of computed results.
However, most runtime environments have a console object that can
be used to print output. Here is a minimalist
Hello World program
Hello World program in
A simple recursive function:
if (n === 0)
return 1; // 0! = 1
return n * factorial(n - 1);
factorial(3); // returns 6
An anonymous function (or lambda):
var count = 0;
var closure = counter();
closure(); // returns 1
closure(); // returns 2
closure(); // returns 3
their non-local variables by reference.
is known as a function object.
this.radius = r; //the radius variable is local to the ball object
this.area = pi*r**2;
this.show = function() //objects can contain functions
drawCircle(r); //references a circle drawing function
myBall = new Ball(5); //creates a new instance of the ball object with
myBall.show(); //this instance of the ball object has the show
function performed on it
Variadic function demonstration (arguments is a special variable):
var x = 0;
for (var i = 0; i < arguments.length; ++i)
x += arguments[i];
sum(1, 2); // returns 3
sum(1, 2, 3); // returns 6
Immediately-invoked function expressions are often used to create
modules, as before
ECMAScript 2015 there was no built-in construct in
the language. Modules allow gathering properties and methods in a
namespace and making some of them private:
var counter = (function ()
var i = 0; // private property
return // public methods
get: function ()
set: function (value)
i = value;
increment: function ()
)(); // module
counter.get(); // shows 0
counter.increment(); // shows 7
counter.increment(); // shows 8
More advanced example
This sample code displays various
/* Finds the lowest common multiple (LCM) of two numbers */
function LCMCalculator(x, y) // constructor function
var checkInt = function(x) // inner function
if (x % 1 !== 0)
throw new TypeError(x + "is not an integer"); // var a = mouseX
this.a = checkInt(x)
// semicolons ^^^^ are optional, a newline is enough
this.b = checkInt(y);
// The prototype of object instances created by a constructor is
// that constructor's "prototype" property.
LCMCalculator.prototype = // object literal
constructor: LCMCalculator, // when reassigning a prototype, set the
constructor property appropriately
gcd: function() // method that calculates the greatest common
// Euclidean algorithm:
var a = Math.abs(this.a),
b = Math.abs(this.b),
if (a < b)
// swap variables
t = b;
b = a;
a = t;
while (b !== 0)
t = b;
b = a % b;
a = t;
// Only need to calculate GCD once, so "redefine" this method.
// (Actually not redefinition—it's defined on the instance
// so that this.gcd refers to this "redefinition" instead of
// Note that this leads to a wrong result if the LCMCalculator
object members "a" and/or "b" are altered afterwards.)
// Also, 'gcd' === "gcd", this['gcd'] === this.gcd
this['gcd'] = function()
// Object property names can be specified by strings delimited by
double (") or single (') quotes.
// Variable names don't collide with object properties, e.g.,
lcm is not this.lcm.
// not using this.a*this.b to avoid FP precision issues
var lcm = this.a / this.gcd() * this.b;
// Only need to calculate lcm once, so "redefine" this method.
this.lcm = function()
return "LCMCalculator: a = " + this.a + ", b = " + this.b;
// Define generic output function; this implementation only works for
// Note: Array's map() and forEach() are defined in
].map(function(pair) // array literal + mapping function
return new LCMCalculator(pair, pair);
).sort((a, b) => a.lcm() - b.lcm()) // sort with this
comparative function; => is a shorthand form of a function, called
output(obj + ", gcd = " + obj.gcd() + ", lcm = " + obj.lcm());
The following output should be displayed in the browser window.
LCMCalculator: a = 28, b = 56, gcd = 28, lcm = 56
LCMCalculator: a = 21, b = 56, gcd = 7, lcm = 168
LCMCalculator: a = 25, b = 55, gcd = 5, lcm = 275
LCMCalculator: a = 22, b = 58, gcd = 2, lcm = 638
Use in Web pages
See also: Dynamic
HTML and Ajax (programming)
As of May 2017 94.5% of 10 million most popular web pages used
client-side behavior to
HTML pages, also known as Dynamic HTML
(DHTML). Scripts are embedded in or included from
HTML pages and
interact with the
Document Object Model
Document Object Model (DOM) of the page. Some simple
examples of this usage are:
Loading new page content or submitting data to the server via Ajax
without reloading the page (for example, a social network might allow
the user to post status updates without leaving the page).
Animation of page elements, fading them in and out, resizing them,
moving them, etc.
Interactive content, for example games, and playing audio and video.
Validating input values of a Web form to make sure that they are
acceptable before being submitted to the server.
Transmitting information about the user's reading habits and browsing
activities to various websites. Web pages frequently do this for Web
analytics, ad tracking, personalization or other purposes.
than on a remote server), the browser can respond to user actions
quickly, making an application more responsive. Furthermore,
HTML alone cannot, such
as individual keystrokes. Applications such as
Gmail take advantage of
an e-mail message) to the server. The wider trend of Ajax programming
similarly exploits this strength.
Brendan Eich at Netscape, for the
Netscape Navigator Web browser. The engine, code-named SpiderMonkey,
is implemented in C. It has since been updated (in
ECMAScript 3. The Rhino engine, created primarily by Norris
implementation in Java. Rhino, like SpiderMonkey, is
Web browser is by far the most common host environment for
Web server is another common host
Web server would typically expose host
HTTP request and response objects, which a
dynamically generate Web pages.
share support for, it has become a target language for many frameworks
in other languages, even though
such a language. Despite the performance limitations inherent to
its dynamic nature, the increasing speed of
made the language a surprisingly feasible compilation target.
Below is a minimal example of a standards-conforming Web page
HTML 5 syntax) and the DOM:
document.getElementById('hellobutton').onclick = function()
alert('Hello world!'); // Show a
var myTextNode = document.createTextNode('Some new
document.body.appendChild(myTextNode); // Append "Some
new words" to the page
Main article: Web interoperability
part of testing and debugging is to test and verify that the
The DOM interfaces for manipulating Web pages are not part of the
ECMAScript standard, or of
interfaces are defined by a separate standardization effort by the
W3C; in practice, browser implementations differ from the standards
To deal with these differences,
write standards-compliant code that will also be executed correctly by
most browsers; failing that, they can write code that checks for the
presence of certain browser features and behaves differently if they
are not available. In some cases, two browsers may both implement
a feature but with different behavior, and authors may find it
practical to detect what browser is running and change their script's
behavior to match. Programmers may also use libraries or
toolkits that take browser differences into account.
Furthermore, scripts may not work for some users. For example, a user
use an old or rare browser with incomplete or unusual DOM support;
use a speech browser due to, for example, a visual disability.
To support these users, Web authors can try to create pages that
degrade gracefully on user agents (browsers) that do not support the
without the extra features that the
sites use the
HTML <noscript> tag, which contains alt content if
JS is disabled. An alternative approach that many find preferable is
to first author content using basic technologies that work in all
enabled. This is known as progressive enhancement.
See also: Browser security
deliver scripts to run on a client computer via the Web. Browser
authors minimize this risk using two restrictions. First, scripts run
in a sandbox in which they can only perform Web-related actions, not
general-purpose programming tasks like creating files. Second, scripts
are constrained by the same-origin policy: scripts from one Web site
do not have access to information such as usernames, passwords, or
are breaches of either the same origin policy or the sandbox.
(SES)—that provide greater levels of security, especially on code
created by third parties (such as advertisements). Caja is
another project for safe embedding and isolation of third-party
Content Security Policy
Content Security Policy is the main intended method of ensuring that
only trusted code is executed on a Web page.
See also: Content Security Policy
Cross-site scripting and Cross-site request forgery
(XSS), a violation of the same-origin policy. XSS vulnerabilities
occur when an attacker is able to cause a target Web site, such as an
online banking website, to include a malicious script in the webpage
presented to a victim. The script in this example can then access the
banking application with the privileges of the victim, potentially
disclosing secret information or transferring money without the
victim's authorization. A solution to XSS vulnerabilities is to use
HTML escaping whenever displaying untrusted data.
Some browsers include partial protection against reflected XSS
attacks, in which the attacker provides a URL including malicious
script. However, even users of those browsers are vulnerable to other
XSS attacks, such as those where the malicious code is stored in a
database. Only correct design of Web applications on the server side
can fully prevent XSS.
XSS vulnerabilities can also occur because of implementation mistakes
by browser authors.
Another cross-site vulnerability is cross-site request forgery (CSRF).
In CSRF, code on an attacker's site tricks the victim's browser into
taking actions the user didn't intend at a target site (like
transferring money at a bank). It works because, if the target site
relies only on cookies to authenticate requests, then requests
initiated by code on the attacker's site will carry the same
legitimate login credentials as requests initiated by the user. In
general, the solution to CSRF is to require an authentication value in
a hidden form field, and not only in the cookies, to authenticate any
request that might have lasting effects. Checking the
header can also help.
<script> tag on an attacker's site exploits a page on the
victim's site that returns private information such as
requiring an authentication token in the POST and GET parameters for
any response that returns private information.
Misplaced trust in the client
Developers of client-server applications must recognize that untrusted
clients may be under the control of attackers. The application author
cannot assume that his
all) because any secret embedded in the code could be extracted by a
determined adversary. Some implications are:
operates because the raw source code must be sent to the client. The
code can be obfuscated, but obfuscation can be reverse-engineered.
security. If a site verifies that the user agreed to its terms of
service, or filters invalid characters out of fields that should only
contain numbers, it must do so on the server, not only the client.
Scripts can be selectively disabled, so
to prevent operations such as right-clicking on an image to save
It is extremely bad practice to embed sensitive information such as
Misplaced trust in developers
Package management systems such as npm and Bower are popular with
their program's dependencies upon other developer's program libraries.
Developers trust that the maintainers of the libraries will keep them
secure and up to date, but that is not always the case. A
vulnerability has emerged because of this blind trust. Relied-upon
libraries can have new releases that cause bugs or vulnerabilities to
appear in all programs that rely upon the libraries. Inversely, a
library can go unpatched with known vulnerabilities out in the wild.
In a study done looking over a sample of 133k websites, researchers
found 37% of the websites included a library with at-least one known
vulnerability. "The median lag between the oldest library version
used on each website and the newest available version of that library
is 1,177 days in ALEXA, and development of some libraries still in
active use ceased years ago." Another possibility is that the
maintainer of a library may remove the library entirely. This occurred
in March 2016 when Azer Koçulu removed his repository from npm. This
caused all tens of thousands of programs and websites depending upon
his libraries to break.
Browser and plugin coding errors
capabilities, some of which may have flaws such as buffer overflows.
These flaws can allow attackers to write scripts that would run any
code they wish on the user's system. This code is not by any means
limited to another
overrun exploit can allow an attacker to gain access to the operating
API with superuser privileges.
These flaws have affected major browsers including Firefox,
Internet Explorer, and Safari.
Plugins, such as video players, Adobe Flash, and the wide range of
ActiveX controls enabled by default in
Microsoft Internet Explorer,
may also have flaws exploitable via
exploited in the past).
In Windows Vista,
Microsoft has attempted to contain the risks of bugs
such as buffer overflows by running the
Internet Explorer process with
Google Chrome similarly confines its page
renderers to their own "sandbox".
Sandbox implementation errors
Web browsers are capable of running
with the privileges necessary to, for example, create or delete files.
Of course, such privileges aren't meant to be granted to code from the
Incorrectly granting privileges to
a role in vulnerabilities in both Internet Explorer and
Firefox. In Windows XP Service Pack 2,
Microsoft demoted JScript's
privileges in Internet Explorer.
Microsoft Windows allows
drive to be launched as general-purpose, non-sandboxed programs (see:
Windows Script Host). This makes
Trojan horses are uncommon in practice.[not in citation given]
rowhammer attack was described in a paper by security
could bypass ASLR. It's called "ASLR⊕Cache" or AnC.
Uses outside Web pages
In addition to Web browsers and servers,
embedded in a number of tools. Each of these applications provides its
own object model that provides access to the host environment. The
Embedded scripting language
Google's Chrome extensions, Opera's extensions, Apple's Safari 5
extensions, Apple's Dashboard Widgets, Microsoft's Gadgets, Yahoo!
Google Desktop Gadgets, and
Klipfolio are implemented
NodeJS are the core components of MEAN: a solution stack for
Clusterpoint database accept queries written in JS/SQL, which is a
Clusterpoint has built-in computing
engine that allows execution of
Adobe's Acrobat and Adobe Reader support
Tools in the Adobe Creative Suite, including Photoshop, Illustrator,
OpenOffice.org, an office application suite, as well as its popular
fork LibreOffice, allows
The visual programming language Max, released by Cycling '74, offers a
users to reduce visual clutter by using an object for a task rather
Apple's Logic Pro X digital audio workstation (DAW) software can
The Unity game engine supports a modified version of
scripting via Mono.
DX Studio (3D engine) uses the
SpiderMonkey implementation of
Maxwell Render (rendering software) provides an ECMA standard based
scripting engine for tasks automation.
Google Apps Script in
Google Spreadsheets and
Google Sites allows
users to create custom formulas, automate repetitive tasks and also
interact with other
Google products such as Gmail.
Many IRC clients, like
ChatZilla or XChat, use
RPG Maker MV uses
The text editor
language, introduced with version 13 in 2007.
Active Scripting technology supports
JScript as a
Java introduced the javax.script package in version 6 that includes a
Mozilla Rhino. Thus, Java
applications can host scripts that access the application's variables
and objects, much like Web browsers host scripts that access a
Document Object Model
Document Object Model (DOM).
C++ toolkit includes a
analogous to Java's javax.script package.
OS X Yosemite
OS X Yosemite introduced
Objective-C bridge that enables entire Cocoa applications
Late Night Software's
OSA, or JSOSA) is a freeware alternative to
AppleScript for OS X. It
is based on the
addition of a MacOS object for interaction with the operating system
and third-party applications.
ActionScript, the programming language used in Adobe Flash, is another
implementation of the
Adobe AIR (Adobe Integrated Runtime) is a
allows developers to create desktop applications.
Electron is an open-source framework developed by GitHub.
CA Technologies AutoShell cross-application scripting environment is
built on the
preprocessor-like extensions for command definition, as well as custom
classes for various system-related tasks like file I/O, operation
system command invocation and redirection, and COM scripting.
Apache Cordova is a mobile application development framework
Cocos2d is an open source software framework. It can be used to build
games, apps and other cross platform GUI based interactive programs
Chromium Embedded Framework (CEF) is an open source framework for
embedding a web browser engine based on the Chromium core
RhoMobile Suite is a set of development tools for creating
data-centric, cross-platform, native mobile consumer and enterprise
NW.js call all
Node.js modules directly from DOM and enable a new way
of writing applications with all Web technologies.
GNOME Shell, the shell for the
GNOME 3 desktop environment, made
Mozilla application framework (XPFE) platform, which underlies
Firefox, Thunderbird, and some other Web browsers, uses
implement the graphical user interface (GUI) of its various products.
for its application logic. Its declarative syntax is also similar to
Ubuntu Touch provides a
API for its unified usability
Open webOS is the next generation of web-centric platforms built to
run on a wide range of form factors.
enyo JS is a framework to develop apps for all major platforms, from
phones and tablets to PCs and TVs
WinJS provides a special Windows Library for
Windows 8 that enables the development of Modern style (formerly
Metro style) applications in
NativeScript is an open-source framework to develop apps on the Apple
iOS and Android platforms.
Weex is a framework for building Mobile cross-platform UI, created by
China Tech giant Alibaba
XULRunner is packaged version of the
Mozilla platform to enable
standalone desktop application development
developing large, non-trivial programs. Because there can be
implementation differences between the various browsers (particularly
within the DOM), it is useful to have access to a debugger for each of
the browsers that a Web application targets.
Script debuggers are integrated within Internet Explorer, Firefox,
Google Chrome, Opera and Node.js.
In addition to the native
Internet Explorer Developer Tools, three
debuggers are available for Internet Explorer:
Microsoft Visual Studio
is the richest of the three, closely followed by
Editor (a component of
Microsoft Office), and finally the free
Debugger that is far more basic than the other two.
Microsoft Visual Web Developer Express provides a limited
version of the
Internet Explorer has included developer tools since version
In comparison to Internet Explorer,
Firefox has a more comprehensive
set of developer tools, which include a debugger as well. Old versions
Firefox without these tools used a
Firefox addon called Firebug, or
the older Venkman debugger. Also, WebKit's
Web Inspector includes a
called Blink DevTools is used in
Node.js has Node
Inspector, an interactive debugger that integrates with the Blink
DevTools, available in
Google Chrome. Opera includes a set of tools
In addition to the native computer software, there are online
JSLint, developed by
Douglas Crockford who has written extensively on
three.js, provide links to demonstration code that can be edited by
users. They are also used as a pedagogical tool by institutions such
as Khan Academy to allow students to experience writing code in
an environment where they can see the output of their programs,
without needing any setup beyond a Web browser.
Benchmark tools for developers
(frontend overtakes many aspects which were done in backend before),
there is also more consideration done about performance. Especially
mobile devices could have problems with rendering and processing
unoptimized complex logic.
A library for doing benchmarks is benchmark.js. A benchmarking library
that supports high-resolution timers and returns statistically
significant results.
Another tool is jsben.ch. An online
where code snippets can be tested against each other.
ECMAScript § Versions, and
ECMAScript § Version
Navigator Web browser. In the same year
Microsoft released an
implementation for Internet Explorer. This implementation was called
JScript due to trademark issues. In 1997, the first standardized
version of the language was released under the name
ECMAScript in the
first edition of the ECMA-252 standard. The explicit versioning and
opt-in of language features was Mozilla-specific and has been removed.
Firefox 4 was the last version which referred to a
language features are now often mentioned with their initial
definition in the ECMA-262 editions.
The following table is based on information from multiple
Old version, no longer supported: 1.0
Old version, no longer supported: 1.1
Old version, no longer supported: 1.2
Old version, no longer supported: 1.3
ECMA-262 1st + 2nd edition
Old version, no longer supported: 1.4
Old version, no longer supported: 1.5
ECMA-262 3rd edition
Old version, no longer supported: 1.6
1.5 + array extras + array and string generics + E4X
Old version, no longer supported: 1.7
1.6 + Pythonic generators + iterators + let
Old version, no longer supported: 1.8
1.7 + generator expressions + expression closures
Old version, no longer supported: 1.8.1
1.8 + native
JSON support + minor updates
Old version, no longer supported: 1.8.2
June 22, 2009
1.8.1 + minor updates
Old version, no longer supported: 1.8.5
July 27, 2010
1.8.2 + new features for ECMA-262 5th edition compliance
Related languages and technologies
literal syntax. Like much of
functions as 1st class elements, closures, flexible classes, 'use
strict'), JSON, except for replacing Perl's key-value operator '=>'
by an RFC 822 inspired ':', is syntactically pure Perl.
jQuery is a popular
HTML scripting along with offering
cross-browser compatibility because various browsers respond
differently to certain vanilla
Underscore.js is a utility
that is used in both client-side and server-side network applications.
AngularJS are web application frameworks to use for
developing single-page applications and also cross-platform mobile
providing a views that is rendered using components specified as
Mozilla browsers currently support LiveConnect, a feature that allows
Mozilla-specific support for
LiveConnect was scheduled to be phased
out in the future in favor of passing on the
LiveConnect handling via
API to the Java 1.6+ plug-in (not yet supported on the Mac as of
March 2010[update]). Most browser inspection tools, such as
Firebug in Firefox, include
the visible page's DOM.
asm.js is a subset of
engine or run faster in an ahead-of-time (AOT) compiling engine.
JSFuck is an esoteric programming language. Programs are written using
only six different characters, but are still valid
p5.js is an object oriented
artists and designers. It is based on the ideas of the Processing
project but is for the web.
jsben.ch is an online
code snippets can be tested against each other.
CRISP: A Strategy guiding Cloud Application Development for Beginners
is a strategy proposed by Ayush Sahu to develop optimized and secure
CRISP (Conversion, Reformat code, Isolate module, Sandbox, Partition)
strategy has been proposed for refined conversion of native
mostly used language among developers and provides rich API
(Application Programming Interface) for writing applications.
Use as an intermediate language
can run within a Web browser, it has become an intermediate language
for other languages to target. This has included both newly created
languages and ports of existing languages. Some of these include:
OberonScript, a full implementation of the Oberon programming language
Objective-J, a superset of
style dynamic dispatch and optional pseudo-static typing to
language designed to write visualizations, images, and interactive
content. It allows Web browsers to display animations, visual
applications, games and other graphical rich content without the need
for a Java applet or Flash plugin.
CoffeeScript, an alternate syntax for
concise and readable. It adds features like array comprehensions (also
cited as influential on
Scala, an object-oriented and functional programming language, has a
Pyjs, a port of
Google Web Toolkit to Python translates a subset of
Google Dart, an all-purpose, open source language that compiles to
Whalesong, a Racket-to-
known as asm.js
Fantom a programming language that runs on JVM,
TypeScript, a free and open-source programming language developed by
support for optional type annotations and some other language
extensions such as classes, interfaces and modules. A TS-script
compiles into plain
ECMAScript 3 or higher. The compiler is itself written in
Elm (programming language)
Elm (programming language) is a pure functional language for web apps.
runtime exceptions, a time-traveling debugger, and enforced semantic
Haxe, an open-source high-level multiplatform programming language and
compiler that can produce applications and source code for many
ClojureScript, a compiler for
is designed to emit
advanced compilation mode of the
Google Closure optimizing compiler.
SqueakJS, a virtual machine and DOM environment for the open-source
Squeak implementation of the
Smalltalk programming language.
type, only double-precision binary floating point – languages that
integer-converting shift and bitwise logical operators may have
slightly different behavior than in other environments.
A common misconception is that
related to Java. It is true that both have a C-like syntax (the C
language being their most immediate common ancestor language). They
also are both typically sandboxed (when used inside a browser), and
mind. In particular, all Java keywords were reserved in original
classes from Java 1.0, but the similarities end there.
James Gosling of Sun Microsystems, and
Brendan Eich of NetScape Communications.
The differences between the two languages are more prominent than
is dynamic. Java is loaded from compiled bytecode, while
loaded as human-readable source code. Java's objects are class-based,
functional programming until Java 8, while
the beginning, being influenced by Scheme.
Starting in 2017, web browsers began supporting WebAssembly, a
technology standardized by the W3C. The
WebAssembly standard specifies
a binary format, which can be produced by a compiler toolchain such as
LLVM, to execute in the browser at near native speed. WebAssembly
allows programming languages such as C, C++, C# and Java to be used as
Computer programming portal
^ Flanagan 2011, pp. 1–2.
Netscape and Sun announce
^ a b "Standard ECMA-262". Ecma International. 2017-07-03.
^ "RFC 4329". Apps.ietf.org. Archived from the original on 2014-03-16.
Retrieved 16 February 2016.
^ "System-Declared Uniform Type Identifiers". Mac OS X Reference
Library. Apple Inc. Retrieved 2010-03-05.
Unabridged 2012 Digital Edition. William Collins Sons & Co. 2012.
Retrieved 21 August 2015.
ECMAScript Language Overview" (PDF). 2007-10-23. p. 4.
Archived from the original (PDF) on 2010-07-13. Retrieved
^ "Chapter 4. How
Language in 10 Days". Computer. IEEE Computer Society. 45 (2): 7–8.
doi:10.1109/MC.2012.57. Retrieved 23 March 2013.
^ "TechVision: Innovators of the Net:
web.archive.org. Archived from the original on 2008-02-08.
^ Fin JS (2016-06-17),
Brendan Eich - CEO of Brave, retrieved
^ "The History of Programming Languages". oreilly.com. O'Reilly Media.
2004. Retrieved 16 July 2016.
^ Noorda, Brent (21 September 2013). "Brent Noorda's Answers on ECMA".
quora.com. Retrieved 16 July 2016.
^ Noorda, Brent (24 June 2010). "History of Nombas". brent-noorda.com.
Retrieved 16 July 2016.
^ Eich, Brendan (21 June 2011). "New
brendaneich.com. Retrieved 16 July 2016.
Netscape Communications Corporation (11 December 1998). "Server-Side
Netscape Communications Corporation.
with a Vengeance". readwrite.com. Retrieved 2016-07-16.
Here?". oreilly.com. Retrieved 16 July 2016.
Internet Explorer 3.0 Beta Now Available". microsoft.com.
Microsoft. 29 May 1996. Retrieved 16 July 2016.
^ McCracken, Harry (16 September 2010). "The Unwelcome Return of "Best
Viewed with Internet Explorer"". technologizer.com. Retrieved 16 July
^ "Documentation". ecmascript.org. Archived from the original on
2011-04-26. Retrieved 16 July 2016. development of a Fourth Edition
was not completed, that work influenced Fifth Edition
Misunderstood Programming Language". crockford.com. Retrieved 16 July
^ Kowal, Kris (1 December 2009). "
CommonJS Effort Sets
Path for World Domination". arstechnica.com. Retrieved 16 July
^ "USPTO Copyright entry #75026640". USPTO.
^ "Sun Trademarks". Sun Microsystems. Archived from the original on 28
May 2010. Retrieved 2007-11-08.
^ "Vanilla JS". vanilla-js.com. Retrieved 2017-12-15.
^ "What is VanillaJS?". stackoverflow.com. Retrieved 2017-12-15.
^ Flanagan 2006, p. 16.
Developer.mozilla.org. 2017-02-16. Retrieved 2017-02-24.
^ Flanagan 2006, pp. 176–178.
^ "Inheritance and the prototype chain".
Mozilla Developer Network.
Mozilla. Retrieved 6 April 2013.
p. 83. ISBN 978-0-321-81218-6.
pp. 95–97. ISBN 978-1-59327-282-1.
6 April 2013.
pp. 125–127. ISBN 978-0-321-81218-6.
^ "Properties of the Function Object". Es5.github.com. Retrieved
^ Flanagan 2006, p. 141.
^ The many talents of
Programming approaches like Traits and Mixins,
Peterseliger.blogpsot.de, April 11, 2014.
^ "Home CocktailJS". Cocktailjs.github.io. Retrieved
^ Angus Croll, A fresh look at
^ "Concurrency model and Event Loop".
Mozilla Developer Network.
pp. 139–149. ISBN 978-1-59327-282-1.
^ Robert Nyman, Getters And Setters With
And Demos, Robertnyman.com, published 29 May 2009, accessed 2 January
^ John Resig,
accessed 2 January 2010
E4X – Archive of obsolete content MDN".
Mozilla Foundation. Feb 14, 2014. Retrieved 13 July
^ "var –
Mozilla Developer Network.
Retrieved 22 December 2012.
ECMAScript Language Specification – ECMA-262 Edition 5.1". Ecma
International. Retrieved 22 December 2012.
Mozilla Developer Network. Mozilla. Retrieved 6 April
Mozilla Developer Network. Mozilla. Retrieved 6 April
^ "Usage Statistics of
^ Hamilton, Naomi (2008-07-31). "The A-Z of Programming Languages:
^ Peter-Paul Koch, Mission Impossible – mouse position
^ "Secure ECMA Script (SES)". Code.google.com. Retrieved
Mozilla Cross-Site Scripting Vulnerability Reported and Fixed -
MozillaZine Talkback". Mozillazine.org. Retrieved 2017-02-24.
^ "Right-click "protection"? Forget about it". 2008-06-17.
ISSN 1797-1993. Archived from the original on 2011-08-22.
^ a b "Thou Shalt Not Depend on Me: Analysing the Use of Outdated
^ Quartz, How one programmer broke the internet by deleting a tiny
piece of code
^ SC Magazine UK, Developer's 11 lines of deleted code 'breaks the
Buffer overflow in crypto.signText()
^ Festa, Paul (August 19, 1998). "Buffer-overflow bug in IE". CNET.
Archived from the original on December 25, 2002.
^ SecurityTracker.com, Apple Safari
Remote Users Execute Arbitrary Code and
HTTP Redirect Bug Lets Remote
Users Access Files
ActiveX Control Buffer
^ Fusion Authority,
ActiveX Buffer Overflow Archived
2011-08-22 at WebCite
^ "Protected Mode in Vista IE7 – IEBlog". Blogs.msdn.com.
2006-02-09. Retrieved 2017-02-24.
^ US CERT, Vulnerability Note VU#713878:
Microsoft Internet Explorer
does not properly validate source of redirected frame
Mozilla Foundation Security Advisory 2005–41:
Privilege escalation via DOM property overrides
Microsoft Corporation, Changes to Functionality in
XP Service Pack 2: Part 5: Enhanced Browsing Security
^ For one example of a rare
^ Gruss, Daniel; Maurice, Clémentine; Mangard, Stefan (2015-07-24).
^ Jean-Pharuns, Alix (2015-07-30). "Rowhammer.js Is the Most Ingenious
Hack I've Ever Seen". Motherboard.
^ Goodin, Dan (2015-08-04). "DRAM 'Bitflipping' exploit for attacking
^ David Auerbach (July 28, 2015). "
Rowhammer security exploit: Why a
new security attack is truly terrifying". slate.com. Retrieved July
^ AnC VUSec, 2017
^ New ASLR-busting
nastier Ars Technica, 2017
^ "Logic Pro X". Apple. Apple, Inc. Retrieved January 31, 2017.
^ "Unity Scripting". unity3d.com. Retrieved 2013-01-29.
^ "Technical Specification". dxstudio.com. Retrieved 2009-10-20.
^ THINK! The
Maxwell Render Resourcer Center, Scripting References
Google Apps Script,
Google Apps Script
^ "ChatZilla! Frequently Asked Questions – 4.5. How do I write
scripts?". Chatzilla.hacksrus.com. Retrieved 11 February 2011.
^ "Xcdscript". Archived from the original on 1 May 2011. Retrieved 11
RPG Maker MV
RPG Maker Make Your Own Games!". Retrieved 28
^ "javax.script release notes". Java.sun.com. Retrieved
^ Flanagan 2006, pp. 214 et seq.
^ Nokia Corporation,
QtScript Module Archived 2010-07-09 at the
^ "NW.js". Nwjs.io. Retrieved 2017-02-24.
^ "Behind the Scenes with Owen Taylor". The
GNOME Journal. Archived
from the original on 2012-12-21. Retrieved 2010-01-23.
^ "Answering the question: "How do I develop an app for
^ "Open webOS". 30 March 2012. Archived from the original on 30 March
^ "Weex". 2 February 2017. Archived from the original on 2 February
2017. CS1 maint: BOT: original-url status unknown (link)
2010-05-28. Retrieved 2010-05-28.
Debugger – an independent standalone
^ "Debugging with Node Inspector". docs.strongloop.com. Retrieved
JScript development in
Microsoft Office 11 (MS InfoPath 2003)
^ "Introducing Drosera – Surfin' Safari". Webkit.org. 2006-06-28.
^ "Opera DragonFly". Opera Software.
Khan Academy Computer Science". Retrieved 28 Sep 2012.
ECMAScript version history".
Webmasterworld.com. Retrieved 2009-12-17.
RFC 822 - STANDARD FOR THE FORMAT OF ARPA INTERNET TEXT MESSAGES".
Tools.ietf.org. 1982-08-13. Retrieved 2017-02-24.
^ Release Notes for the Next-Generation Java™ Plug-In Technology
(introduced in Java SE 6 update 10). Java.sun.com. Retrieved on
^ "frequently asked questions". asm.js. Retrieved 2014-04-13.
^ "Home". p5.js. 2017-01-21. Retrieved 2017-02-24.
^ "Home". dspace.thapar.edu:8080. 2016-08-26. Retrieved
^ Ralph Sommerer. "Oberon Script. A Lightweight Compiler and Runtime
System for the Web". research.microsoft.com. Retrieved
^ "New in
^ Sébastien Doeraene. "Scala.js". Lampwww.epfl.ch. Retrieved
^ "Whalesong: a Racket to
^ Walton, Zach (2012-04-04). "Easily Port
C++ To HTML5/
Emscripten". WebProNews. iEntry Network.
^ "clojure/clojurescript · GitHub". Github.com. Retrieved
^ "pascal/pas2js · FreePascal". freepascal.org. Retrieved
Brendan Eich (3 April 2008). "Popularity". Retrieved
^ "Edge Browser Switches
WebAssembly to 'On' -- Visual Studio
Magazine". Visual Studio Magazine.
Bhangal, Sham; Jankowski, Tomasz (2003). Foundation Web Design:
APress L. P. ISBN 1-59059-152-6.
Burns, Joe; Growney, Andree S. (2001).
Education. ISBN 0-7897-2612-2.
O'Reilly & Associates. ISBN 0-596-10199-6.
O'Reilly & Associates. ISBN 978-0-596-80552-4.
Goodman, Danny; Eich, Brendan (2001).
& Sons. ISBN 0-7645-3342-8.
Goodman, Danny; Markel, Scott (2003).
O'Reilly & Associates. ISBN 0-596-00467-2.
Harris, Andy (2001).
Premier Press. ISBN 0-7615-3410-5.
O'Reilly & Associates. ISBN 1-56592-300-6.
Integrated Web Applications (1st ed.). Addison-Wesley.
McDuffie, Tina Spain (2003).
Programming Interactive Web Sites. Franklin, Beedle & Associates.
McFarlane, Nigel (2003). Rapid Application Development with Mozilla.
Prentice Hall Professional Technical References.
Reference. McGraw-Hill Companies. ISBN 0-07-219127-9.
Shelly, Gary B.; Cashman, Thomas J.; Dorin, William J.; Quasney,
Cambridge: Course Technology. ISBN 0-7895-6233-2.
Vander Veer, Emily A. (2004).
Pub. ISBN 0-7645-7659-3.
Watt, Andrew H.; Watt, Jonathan A.; Simon, Jinjer L. (2002). Teach
Zakas, Nicholas C. (2012). Professional
(3rd ed.). Wrox. ISBN 978-1-118-02669-4.
Definitions from Wiktionary
Media from Wikimedia Commons
Textbooks from Wikibooks
Learning resources from Wikiversity
Documentation from MediaWiki
Listen to this article (info/dl)
This audio file was created from a revision of the article
to the article. (Audio help)
More spoken articles
Douglas Crockford's A Survey of the
List of languages that compile to JS
Google Closure Compiler
Google Web Toolkit
Microsoft Script Debugger
Microsoft Script Editor
Visual Studio Express
Visual Studio Code
Visual Studio Team Services
Comparison of layout engines
Cascading Style Sheets
Document Object Model
Active Server Pages
Google Web Toolkit
Asynchronous module definition
Universal Edit Button
Cascading Style Sheets
Rich Internet application
World Wide Web
Origyn Web Browser
Line Mode Browser
IBM Home Page Reader
Qihoo 360 Secure Browser
Chrome for Android
Firefox Focus for Android
Firefox for Android
Chrome for iOS
Firefox for iOS
Firefox Focus for iOS
Nokia Browser for Symbian
Internet Explorer Mobile
Television and video game console
Nintendo 3DS Internet Browser
Nintendo DS & DSi Browser
Wii U Internet Browser
Software no longer in development shown in italics
MEEN (substituted with Ember.js)
BNF: cb12549978q (d