Not to be confused with Java (programming language).
The following features are common to all conforming ECMAScript implementations, unless explicitly specified otherwise.
Functions are first-class; they are objects themselves. As such, they have properties and methods, such as length and call(); and they can be assigned to variables, passed as arguments, returned by other functions, and manipulated like any other object. Any reference to a function allows it to be invoked using the () operator.
'Inner' or 'nested' functions are functions defined within another function. They are created each time the outer function is invoked. In addition to that, the scope of the outer function, including any constants, local variables and argument values, become part of the internal state of each inner function object, even after execution of the outer function concludes.
functions as object constructors
functions as methods
Unlike many object-oriented languages, there is no distinction between a function definition and a method definition. Rather, the distinction occurs during function calling; a function can be called as a method. When a function is called as a method of an object, the function's local this keyword is bound to that object for that invocation.
run- time environment
An indefinite number of parameters can be passed to a function. The function can access them through formal parameters and also through the local arguments object.
array and object literals
Like many scripting languages, arrays and objects (associative arrays in other languages) can each be created with a succinct shortcut syntax. In fact, these literals form the basis of the JSON data format.
A simple recursive function:
Anonymous function (or lambda) syntax:
Variadic function demonstration: (This will alert with 1 then 2 then 3. arguments is a special variable)
Example - syntax and semantics
The following output should be displayed in the browser window.
Furthermore, scripts may not work for some users. For example, a user may:
Often the process of making a complex web page as accessible as possible becomes a nontrivial problem where issues become matters of debate and opinion, and where compromises are necessary in the end. However, user agents and assistive technologies are constantly evolving and new guidelines and relevant information are continually being published on the web.
Some browsers include partial protection against reflected XSS attacks, in which the attacker provides a URL including malicious script. However, even users of those browsers are vulnerable to other XSS attacks, such as those where the malicious code is stored in a database. Only correct design of Web applications on the server side can fully prevent XSS.
XSS vulnerabilities can also occur because of implementation mistakes by browser authors.
Another cross-site vulnerability is cross-site request forgery or CSRF. In CSRF, code on an attacker's site tricks the victim's browser into taking actions the user didn't intend at a target site (like transferring money at a bank). It works because, if the target site relies only on cookies to authenticate requests, then requests initiated by code on the attacker's site will carry the same legitimate login credentials as requests initiated by the user. In general, the solution to CSRF is to require an authentication value in a hidden form field, and not only in the cookies, to authenticate any request that might have lasting effects. Checking the HTTP Referrer header can also help.
Script debuggers are available for Internet Explorer, Firefox, Safari, Google Chrome, and Opera.
Opera includes a set of tools called DragonFly.