Is JavaScript unsafe? Is it easy to hide malicious code in JavaScript?

I prefer to keep my browser settings configured for maximum protection, but this frequently brakes websites that use lots of JavaScript. Why is that happening? Is JavaScript somehow unsafe or is it easy to hide malicious code in JavaScript? What is the connection between JavaScript and the disruption of browsers that are more securely configured?

In addition, why do some websites block the Tor Browser? How can I design websites that do not block Tor users?

I guess I should say, I’m asking these questions, not because I’m involved in any extralegal activities, but as an artist, and as a human being, I value privacy, and freedom of expression. I don’t agree with infecting websites with trackers and all kinds of code that communicates back to either the host or other interested parties, like google and Facebook.

What programming languages are safe to use if I want to design websites that are accessible to visitors that value their privacy, and choose the highest level of security when configuring their browser settings?


Perfectly reasonable question, and caution is perhaps warranted, but do realize that the web runs on JavaScript on the client side. We needn’t throw caution to the wind, though, just to enjoy the web. Most browsers have settings to restrict things like tracking cookies, extra-functional features, etc. along with a counter-setting to whitelist the sites we trust.

As for malicious JavaScript getting onto a system, most malware detectors will spot the code patterns if there is any interaction with the application layer of the local machine. One needs to be more aware of the user propensity to click things out of curiosity, or social engineering, phishing schemes and the like.

It’s rare that malicious code would get on to a user’s machine through mainstream websites or the like. More likely it would come in through e-mail or special offer on some dodgy app. How much of a role JS plays in acquiring an infection is actually quite limited. It is the User who invites more destructive payloads to get on to their system, and only the user can initiate the installation process, and they must be an administrator to allow it to go forward.

Bottom line, keep a fair mind about permitting JS to run in your clients (browser, device, etc.) and limit cookies to the level of functionality you are content with. Most of the security issues relating to JS that can be mitigated by the browser and or local malware protection are. It’s the User we have to concern over. User’s are the vector by which malware gets on to a machine, and User’s are the ones who allow the payload to be downloaded and its executable files installed. We cannot blame JavaScript for just doing what it promises to do in our browser environment.

On a side note, and this recommendation goes back decades… Set up a limited user account on your system, assuming one is available. (I only know about Windows.) Never use your Administrator account to browse the web. Log in and stay logged in to your limited user account and you run a much smaller risk of background installation of any software without your permission (as administrator), and you will be asked, which is why this account is so invaluable.

1 Like


Thanks for your very thorough explanation!!!

If we set aside human failure for a second, what about browser functionality when the security settings are enabled. Is there a way to write code that is not affected by increased security settings?

1 Like

JavaScript by itself cannot invade a users computer. It is not executable code, but script that needs the scripting engine to run it in the browser. By way of some user enabled vector it can be used to download an executable payload written in a lower level, compiled language but it still needs to be installed on the local machine, which again involves user interaction.

TBH, I am not qualified to give a good answer to your question, but one the face of it one does not suspect there is a way for you or I to circumvent the limitations of JS. Bottom line, JS is not the enemy, malware is. It largely depends on social engineering, not script.

1 Like


Then let’s set aside JavaScript - despite that being the subject of discussion -

What programming languages should I learn that are not disrupted by the browser security settings?

I am assuming CSS and HTML are fine. Am I correct in this assumption?

In addition to JavaScript I was thinking of learning Python. Does writing code in Python have the same issues as JavaScript?

I really have no advice to offer in terms of security and malware defense. Chances are there is reliable information somewhere online. Think in terms of ‘vector’; i. e., the means of getting malicious code onto a user’s machine. Browsers are a vector, but not in and of themselves. They depend largely on an unsuspecting user to initiate the process. Python can be run in a browser with the right support, though I’ve never worked with that language in a browser setting.

When we speak of ‘issues’, again, I’m not the person to ask about those. Sorry I cannot be more help.

1 Like

okay thanks for all your advise so far!!

I will keep this discussion page open for a little while to see if someone else might have additional advise.


1 Like