GNU Emacs: new critical remote shell injection vulnerability

@lispi314 @LorenzoAncora @tennoseremel @lxo >Technically, other flaws in a browser implementation may permit it.
Technically yes, but every single exploit I've seen has used JavaScript.

@Suiseiseki the exploits you can see and that are published are only a small fraction of the total. Most exploits are sold and then kept secret.

@tennoseremel @lxo @lispi314

@LorenzoAncora @Suiseiseki @tennoseremel @lxo Which is a good reason to be disappointed by all the C++ browsers with C libraries lacking any formal verification being used.

It is a predictable outcome and yet practices are not being adapted accordingly.

One of the most important would be to constrain unexpected computation the browser may induce (no arbitrary code execution, such as JavaScript), since hardware vulnerabilities of various sorts may defeat even entirely correct programs' security.

@lispi314 you can disable JavaScript in your browser if you want, but 98% of public websites worldwide depend on JavaScript and will not work or have reduced functionality if its disabled.

No webmaster likes to do more work, if we use JS, it means its necessary.

@lispi314 most banks are forced to use JS in order to enforce certain verifications and security policies.

Online banking used it for the last decades, in a form or another. You just started to pay more attention to it, like most of us.

@Suiseiseki @tennoseremel @quasi @lxo

@LorenzoAncora @lispi314 @tennoseremel @quasi @lxo There is no legal requirement that the "verification" or "security policies" are implemented with JavaScript specifically.

JavaScript is just a cheap way to implement things (as web developers don't know HTML - only JavaScript), even though it is the worst way to implement the vast majority of functionality.

@Suiseiseki web developers must know HTML, CSS, JavaScript and sometimes a language like Python, PHP, Perl, ...

The law never imposed a specific language, it is superfluous, as JavaScript is and has always been the only way.

Different solutions would require too much server-side processing and some verifications cannot be implemented server-side, thus requiring JS.

@LorenzoAncora >some verifications cannot be implemented server-side, thus requiring JS.
The only place verification can work is server side - as the client cannot be trusted to follow a protocol.

>as JavaScript is and has always been the only way.
Imagine not even knowing about the previous existence of Flash.

JavaScript certainly isn't the only away - as it's easier to just write a free software client that implements the functionality in a sane language (you don't even need to bother to write one - you just make an API available with some documentation and someone will write one).

Using JavaScript to verify input is like trusting a client to provide a newline-terminated string to the server - the server needs to actually verify a string is newline terminated before processing an operation that expects a newline.

@Suiseiseki verification happens server-side, JavaScript is used for data gathering and preparation. If the JavaScript is maliciously altered by the client, the server simply rejects the request.

@LorenzoAncora >verification happens server-side,
Then then client-side JavaScript verification is clearly not needed.

>JavaScript is used for data gathering and preparation
HTML5 is perfectly capable of gathering data and preparing it for submission - it can even check the input format without JavaScript.

But instead of using the HTML5 forms, your typical web developer writes up some JavaScript abortion that performs far worse than the built-in forms.

@Suiseiseki maybe I didn't explain myself: the verification of data integrity and correctness happens server-side too, not only client-side.

JavaScript is also needed to guarantee compatibility with older web browsers which don't support all HTML5 features. In addition, HTML5 forms can check the input for syntactical correctness, but cannot process nor alter collected data.

JavaScript exists for a good reason.

@LorenzoAncora >guarantee compatibility with older web browsers
Proprietary JS site do not support older browsers - those are primarily designed to run only on chrome and sometimes those run on firefox too.

If the browser doesn't support the used HTML5 features, chances are it won't support the execution of the JavaScript framework used either.

>the verification of data integrity and correctness happens server-side too, not only client-side.
It is a waste of electricity to check twice when you only need to check once.

Processing and altering collected data is up to the server.

If the task is processing and altering information for the user, then the user should do such processing on their own computer with free software without involving a server.

JavaScript exists because it was too easy to think that adding cancer in the form of scripting would make things nicer.

@Suiseiseki @LorenzoAncora JavaScript interpreter Java applet for older browser compatibility

@LorenzoAncora @lispi314 or maybe that they are lazy and want to use some fancy JS "framework" instead of writing proper HTML? I'm not a web developer myself but for most websites I could imagine HTML versions that do the job just as well. Maybe they don't look as fancy but I personally don't care about that.