Archive for May, 2004

BBC News Online - also can’t script…

Monday, May 31st, 2004

It seems that scripting and QA is going further, and further downhill on the web, BBC News Online, one of the largest and most visited sites in the world, has been serving up a script error on its homepage for days now. How difficult is it really to check that your variables are defined before you access them?

Web Application Workshop

Saturday, May 22nd, 2004

The Web Application Workshop is coming up, Hixie seems to think the result will be an SVG/XForms combination Working Group. I really hope that’s not the case, and it’s not the idea I get from the position papers.

As Hixie notes, many of the Position papers encourage SVG as the rendering language, this I agree is essential for web-applications to support, but it’s also essential that it support HTML+CSS so it can be authored in IE6 - web applications need to become much more decoupled from the language.

What web-applications need mostly are a standard Object Model to do the useful things - mostly rubber stamping the current state-of-the art, getting Opera to support the XMLHttpRequest object would be a huge first step - Mozilla, Safari, IE all support it, if Opera did too, I wouldn’t need much more other than a client-side store, and access to interesting client features in appropriate security environments.

My prediction will be for a Working Group Chartered to standardise an Object Model, and a generic XML format for describing various things that can be styled with XSLT (to HTML), CSS, or SVG and actioned with script.

It’s less pessimisistic than Hixie’s view, and he’s more likely to know, but I hope I’m write, it’ll be a waste of a plane fare if not - although the three days in SFO either side might make the trip more useful.

Javascript, even Google abuses it.

Saturday, May 22nd, 2004

What is it about javascript that makes companies just not understand it? Google has generally produced good software, but like just about every other company in the world, they just can’t do anything with javascript. Why?

Google has had a script insertion security flaw in it’s customisation page for over 2 years, it was slightly fixed at some point in between, now you need to double up the javascript:. This change is perhaps even worse as it suggests the programmers simply do not understand the issues, and simply responded to the bug report by stripping javascript: from the front of the parameter. This is all the easier as google already does the document.domain stuff to allow you to easily sniff gmail passwords etc.

That’s not really my complaint here though, although that’s seriously enough in itself, my problem is how bad they are when they use script. Google never used much script before, but now with GMail and the new Google Groups it’s being used totally in GMail, and heavily in Google Groups. The quality of it is shocking though, I think it’s clear they’ve not got a javascript expert in, but are using back end guys with little or no script experience, and not even the skills to use google groups to learn more.

What I’m complaining about is code like this: var is_mac = (agt.indexOf("mac") != -1); where they decide a system is a mac or not based on the 3 letters mac being in the user agent string, user agents string contain all sorts of weird and wonderful names just a quick grep of last weeks logs of this site showed up Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:0.9.4)+Gecko/20011128+Netscape6/6.2.1+(emach0202) now Google thinks that’s a mac, do you? This isn’t someone screwing around with their string, but just a custom build and distribution of the browser, all browsers do it. Then there’s things like if (document.all) { IS_IE = 1; despite the fact that document.all is supported by 10’s of browsers that aren’t IE. There’s probably no point going on about the failures of browser detection, it’s been well said before by everyone in comp.lang.javascript but this isn’t the only failure in googles script.

Looking deeper into the google script - I’ll use the Groups Beta, as everyone can look at that script, but GMail is similar if not worse by virtue of the sheer weight of script, we see lots of browser sniffing, no error protection - so browsers which spoof as IE, but aren’t quite, they just get errors. They rely on popups but don’t check to see if they work etc.

The main GMail code isn’t as bad, it’s reasonably well thought out, but contains all the same browser detection gibberish as above, there’s some error protection, but no attempt to recover, still the script file is loaded once when you go in and everything done with IFRAMES, so it should be easy for people to bolt on gmail extensions that change the way it behaves - of course you may well be fighting battles as they change the script “protocols”.