Javascript, even Google abuses it.

What is it about javascript that makes companies just not understand it? Google has generally produced good software, but like just about every other company in the world, they just can’t do anything with javascript. Why?

Google has had a script insertion security flaw in it’s customisation page for over 2 years, it was slightly fixed at some point in between, now you need to double up the javascript:. This change is perhaps even worse as it suggests the programmers simply do not understand the issues, and simply responded to the bug report by stripping javascript: from the front of the parameter. This is all the easier as google already does the document.domain stuff to allow you to easily sniff gmail passwords etc.

That’s not really my complaint here though, although that’s seriously enough in itself, my problem is how bad they are when they use script. Google never used much script before, but now with GMail and the new Google Groups it’s being used totally in GMail, and heavily in Google Groups. The quality of it is shocking though, I think it’s clear they’ve not got a javascript expert in, but are using back end guys with little or no script experience, and not even the skills to use google groups to learn more.

What I’m complaining about is code like this: var is_mac = (agt.indexOf("mac") != -1); where they decide a system is a mac or not based on the 3 letters mac being in the user agent string, user agents string contain all sorts of weird and wonderful names just a quick grep of last weeks logs of this site showed up Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:0.9.4)+Gecko/20011128+Netscape6/6.2.1+(emach0202) now Google thinks that’s a mac, do you? This isn’t someone screwing around with their string, but just a custom build and distribution of the browser, all browsers do it. Then there’s things like if (document.all) { IS_IE = 1; despite the fact that document.all is supported by 10’s of browsers that aren’t IE. There’s probably no point going on about the failures of browser detection, it’s been well said before by everyone in comp.lang.javascript but this isn’t the only failure in googles script.

Looking deeper into the google script - I’ll use the Groups Beta, as everyone can look at that script, but GMail is similar if not worse by virtue of the sheer weight of script, we see lots of browser sniffing, no error protection - so browsers which spoof as IE, but aren’t quite, they just get errors. They rely on popups but don’t check to see if they work etc.

The main GMail code isn’t as bad, it’s reasonably well thought out, but contains all the same browser detection gibberish as above, there’s some error protection, but no attempt to recover, still the script file is loaded once when you go in and everything done with IFRAMES, so it should be easy for people to bolt on gmail extensions that change the way it behaves - of course you may well be fighting battles as they change the script “protocols”.


  1. Jibbering musings » Google security flaw exploited. Says:

    […] eral Script     18 Oct 2004   11:03 pm

    I’ve mentioned the google script insertion flaw before, Google don’t seem to want to do anything about it, I’ […]