I advise you to never write javascript for a public website if you would not describe yourself as an advanced javascript programmer. There are far too many ways to make mistakes which open your site up to XSS and even worse things.

my understanding was that since Jscript mostly just played in its own sandbox, it was like an extra layer of protection rather than the reverse.

of course, with jscript, it is out there for everyone to look at your code, and have fun with it if they can get into it.

Of course, from my reading, the basic rule is don't take anything from any user without sanitizing and verifying it, and while malicious is always there, stupid can be more dangerous.

"my understanding was that since Jscript mostly just played in its own sandbox, it was like an extra layer of protection rather than the reverse."

versus:

"I advise you to never write javascript for a public website if you would not describe yourself as an advanced javascript programmer."

hmmm...

hmmm...

What are you thinking?

Typically javascript is not used for anything that is substantially dangerous to a target website. My opinion is that's a good idea - anything potentially dangerous to a website owner should be done server-side (and it most cases it probably has to be anyway). This is perhaps changing a bit with AJAX, I suppose.

If you ask me, javascript security is more of a concern to end users/browsers than people authoring scripts.

Note that there's a big difference between java and javascript, and a small difference between jscript and javascript.

So, if I'm reading this correctly: The potential hazard with javascript (also known as jscript?) is that the visitor to a site could get hijacked to an undisclosed location. True story?

Javascript is client side which means it's all run within the context of the web browser a user has. This limits it's uses, and the potential damage. The risk to users is stealing data (e.g. cookies) or fooling them into loading unsafe resources (e.g. viruses or malware). This would be as a result of a malicious website operator, or by a hacker injecting code into a third party site.

Unless a webmaster uses javascript for inappropriate things (e.g. for validating credentials) then I don't see much of a risk factor, but I'm no expert by any means.