xkcd

[You, sir, name?]

Out of all HTML tags (including nonstandard IE silliness and deprecated tags), which one do you consider to be the most evil? (Some of the poll options have little justification for ever being used, while others have valid as well as evil uses.)

[Berengal]

No <frame>?

I'm voting for <blink>, since the only valid useage of that is "<blink>do not use &lt;frame&gt; tags!</blink>". Same goes for marquee, but I only get one vote.

Ironically, the <frame> tag is less evil because it does add more than the <blink> and <marquee> tags. <frame> is like Hitler*, at least kind to animals, but <blink> and <marquee> are kind to at most one puppy between them (the puppy's name being "DIE HITLER DIE").

*This post is made of God and Win.

[You, sir, name?]

D'oh. Forgot that one. Poll updated, please re-vote.

[Xanthir]

No <frame>?

I'm voting for <blink>, since the only valid useage of that is "<blink>do not use &lt;frame&gt; tags!</blink>". Same goes for marquee, but I only get one vote.

Ironically, the <frame> tag is less evil because it does add more than the <blink> and <marquee> tags. <frame> is like Hitler*, at least kind to animals, but <blink> and <marquee> are kind to at most one puppy between them (the puppy's name being "DIE HITLER DIE").

*This post is made of God and Win.

Frames aren't even kind to puppies. As soon as you turn away, they're taking the puppies you saw them petting and throttling them.

marquee actually does have a limited use on mobile devices, especially older ones, where you may want to be able to display a title with relatively large text without having it wrapping and taking up an entire screen.

[phillipsjk]

<Script> because few web-developers use the corresponding <noscript> tag for anything other than presenting you with a blank page.

Some use the <noscript> tags to tell you to enable JavaScript. Without details I have no idea if the site has a legitimate reason to request an arbitrary amount of CPU time, or if they just want my web-browser to send more information about me (Facebook, l'm looking at you).

Slightly off topic (Automatic content negotiation, not <noscript>):

Code: Select all

#<<<                                             Incompatible Browser | Facebook
   #Facebook

     * Facebook logo

       [ ] Keep me logged in Forgot your password?
       Email_______________  ____________________ ____________________

                                                                       Login

   Sign Up
   Facebook helps you connect and share with the people in your life.




You are using an incompatible web browser.

   Sorry, we're not cool enough to support your browser. Please keep it
   real with one of the following browsers:
     * Mozilla Firefox
     * Safari
     * Microsoft Internet Explorer

   Facebook © 2010
   English (US)
   AboutAdvertisingDevelopersCareersTerms • Find FriendsPrivacyMobileHelp
   CenterBlogWidgets


[sgchr]

I also vote <script> for the same reasons phillipsjk stated. To give my own example, some game top sites add to their voting code <noscript>s to hide WoW Gold or anything else.

[Xanthir]

<Script> because few web-developers use the corresponding <noscript> tag for anything other than presenting you with a blank page.

Some use the <noscript> tags to tell you to enable JavaScript. Without details I have no idea if the site has a legitimate reason to request an arbitrary amount of CPU time, or if they just want my web-browser to send more information about me (Facebook, l'm looking at you).

It sounds like you're complaining about <noscript>, then? <noscript> was a bad idea anyway, because it makes parsing dependent on the environment, which causes all sorts of funtimes. For extra fun:

Code: Select all

<!DOCTYPE html>
<title>Foo</title>
<body>
<script>document.write('<noscript>');</script>
<p>blah blah blah...</p>
...


And that's why web browsers have to wait for scripts to finish before trying to display the page in many circumstances, thus slowing down your browsing experience.

[phillipsjk]

No, I do not object to the <noscript> tag. I agree it breaks the SGML a little bit, but it is a necessary evil created by the <script> tag.

Web-browsers (and other user-agents) are supposed to ignore tags they don't recognize. That means a web-browser should render:

Code: Select all

<script language="Brainfuck">>+++++++++[<++++++++>-]<.>+++++++[<++++>-]<+.+++++++..+++.[-]>++++++++[<++++>-]
<.#>+++++++++++[<+++++>-]<.>++++++++[<+++>-]<.+++.------.--------.[-]>++++++++[
<++++>-]<+.[-]++++++++++.</script><noscript><p>Hello World!</noscript>
<p>Source: <a href="http://esoteric.sange.fi/brainfuck/bf-source/prog/HELLOBF.BF">Hello World program</a>


As (if script tags not recognized):

>+++++++++[<++++++++>-]<.>+++++++[<++++>-]<+.+++++++..+++.[-]>++++++++[<++++>-]<.#>+++++++++++[<+++++>-]<.>++++++++[<+++>-<.+++.------.--------.[-]>++++++++[<++++>-]<+.[-]++++++++++.
Hello World!
Source: Hello World program

Result with tags recognized:

Hello World!
Source: Hello World program

The judicious use of <noscript> tags allows web developers to follow the principal of graceful degradation for content that sort of acts "outside" the page anyway.

Edit: That would probably be invalid HTML without escaping the angle brackets

[hotaru]

Web-browsers (and other user-agents) are supposed to ignore tags they don't recognize. That means a web-browser should render:

Code: Select all

<script language="Brainfuck">>+++++++++[<++++++++>-]<.>+++++++[<++++>-]<+.+++++++..+++.[-]>++++++++[<++++>-]
<.#>+++++++++++[<+++++>-]<.>++++++++[<+++>-]<.+++.------.--------.[-]>++++++++[
<++++>-]<+.[-]++++++++++.</script><noscript><p>Hello World!</noscript>
<p>Source: <a href="http://esoteric.sange.fi/brainfuck/bf-source/prog/HELLOBF.BF">Hello World program</a>


As (if script tags not recognized):

>+++++++++[<++++++++>-]<.>+++++++[<++++>-]<+.+++++++..+++.[-]>++++++++[<++++>-]<.#>+++++++++++[<+++++>-]<.>++++++++[<+++>-<.+++.------.--------.[-]>++++++++[<++++>-]<+.[-]++++++++++.
Hello World!
Source: Hello World program

Result with tags recognized:

Hello World!
Source: Hello World program

that shouldn't matter, because you're supposed to put scripts in external files and use the src attribute in your script tags.

[phillipsjk]

I hadn't thought of that. I still see a lot of short scripts done inline though.

With brainfuck you would have to use an external file since the programming language uses reserved symbols, so the normal trick of hiding the code from the browser with a comment won't work.

However, what you describe sounds a lot like the object tag: The use of Object tags (W3C)
So, the above code with the <object> tag instead of the script tag would be:

Code: Select all

<object data="./prog/HELLOBF.BF" type="script/brainfuck">
       <p>Hello World!
<!-- Source: http://esoteric.sange.fi/brainfuck/bf-source/prog/HELLOBF.BF --></object>

This would render with less ambiguity since the browsers supporting the object tag automatically ignore the enclosed content, and browser not recognizing the object tag will just render the contents. There is no need for a <script> (and <noscript>) tag.

Edit: Edited code to use a local copy

[cjmcjmcjmcjm]

I find it amusing that <bgsound> is easily the most hated tag and no one discusses it because its evil speaks for itself

[You, sir, name?]

Dunno, it isn't really used anymore. I'm not even sure if it's supported in modern browsers. If some dimwit gets the idea to add background music to their webpage, it's usually done through flash. Which is just one of the reasons flash is a blight on the internets

[Xanthir]

With brainfuck you would have to use an external file since the programming language uses reserved symbols, so the normal trick of hiding the code from the browser with a comment won't work.

You mean the <? Not really. Javascript doesn't require any form of escaping for its angle brackets. It does make handling the language a bit more difficult in the parser, but the pain's already been suffered.

[phillipsjk]

And what made you think I was talking about ECMA Script?

The W3C standards don't actually specify a specific programming language. Some of the <object> tag examples use Python, Randall's favorite language.

Your can't comment out a "brainfuck" script using "<!-- -->" because that would be a valid program: there is no "escaping" in the brainfuck language: unrecognized symbols are simply interpreted as comments.

Edit: that may not be a valid, since the first command is to decrement the pointer. If the index starts at '0', it would have to become '-1' or wrap around.
Edit2: On second thought, the program is still valid; the behavior is just implementation-dependent.

[Xanthir]

I didn't think you were talking about js. What I meant, though, was that you don't need to comment or escape anything if you embed Brainfuck in a <script>, because parsers are already set up to accept < in <script> due to js.

[phillipsjk]

"</script>" is also valid brainfuck code (although, that would just decrement the pointer and increment it again). I suppose for web development you can treat "</script>" as a reserved keyword like the Basics of yesteryear.

I don't like client-side scripting anyway: It takes control of the computer away from the user. Putting all of your applications in the "cloud" using HTML is downright silly.

[Berengal]

I don't like client-side scripting anyway: It takes control of the computer away from the user.

No more than any other random program takes control away. At least they're restricted to their own page, and can in theory be sandboxed away in their own, limited sandbox that won't eat away all your CPU and memory. The issue is really that nobody asks the user if he wants to "install" a new program (however temporary).

I'd like for browsers to give more control to users: NoScript should be an unneccessary add-on, scripts should have a relatively low CPU and memory limit by default which could all be drawn from a common pool of say, 50% CPU and 1GB total, divided evenly among pages by default, or set on a per-page basis. Whitelisted/graylisted domains could have their own pools/per-page settings (localhost/* would get unlimited CPU and memory, while badlywrittenjs.com/* would get just enough to react to button events.)

[hotaru]

scripts should have a relatively low CPU and memory limit by default which could all be drawn from a common pool of say, 50% CPU and 1GB total, divided evenly among pages by default, or set on a per-page basis.

but then i wouldn't be able to use the power of distributed computing for pointless things like trying to find the fourth wilson prime... well i could still do it, but the computing power available to me would be greatly reduced.

[You, sir, name?]

scripts should have a relatively low CPU and memory limit by default which could all be drawn from a common pool of say, 50% CPU and 1GB total, divided evenly among pages by default, or set on a per-page basis.

but then i wouldn't be able to use the power of distributed computing for pointless things like trying to find the fourth wilson prime... well i could still do it, but the computing power available to me would be greatly reduced.

You're not going to be able to squeeze -that- much power out of the CPU anyway, as javascript is mind-bogglingly slow compared to say C.

[hotaru]

You're not going to be able to squeeze -that- much power out of the CPU anyway, as javascript is mind-bogglingly slow compared to say C.

javascript is slow, but if you use efficient algorithms and have it running on several hundred thousand machines, you can do some pretty impressive things.

[You, sir, name?]

You're not going to be able to squeeze -that- much power out of the CPU anyway, as javascript is mind-bogglingly slow compared to say C.

javascript is slow, but if you use efficient algorithms and have it running on several hundred thousand machines, you can do some pretty impressive things.

If you have said C code running on the same number of machines, you'll be done ten times faster. And the code can be made to run in low priority, so that it doesn't compete with important processes or screw up system latency. The same can not be said for javascript. Intensive javascript code -will- cripple the browser, if not the entire system.

... unless you suggest doing it without the web site visitors' knowledge, in which case you're a CPU cycle robbing douchebag.

[hotaru]

If you have said C code running on the same number of machines, you'll be done ten times faster.

obviously. but it's a lot easier to get people to let you run javascript in their browser than it is to get them to run a binary for you.

And the code can be made to run in low priority, so that it doesn't compete with important processes or screw up system latency. The same can not be said for javascript. Intensive javascript code -will- cripple the browser, if not the entire system.

unless you use setInterval in a reasonable manner, so the browser has plenty of opportunities to do whatever it needs to do.

... unless you suggest doing it without the web site visitors' knowledge, in which case you're a CPU cycle robbing douchebag.

i use setInterval, so i'm not hogging the cpu and crippling the browser. it's only without their knowledge if they have no idea at all what they're doing. their browser requests the javascript file. the server it's hosted on dutifully replies with the requested resource. anything that happens after that is entirely up to them.

[You, sir, name?]

And the code can be made to run in low priority, so that it doesn't compete with important processes or screw up system latency. The same can not be said for javascript. Intensive javascript code -will- cripple the browser, if not the entire system.

unless you use setInterval in a reasonable manner, so the browser has plenty of opportunities to do whatever it needs to do.

This will have you obliterating older systems and underusing newer systems. Besides, any sort of task scheduling done with setInterval is going to be performing poorly at best.

Which brings us to

If you have said C code running on the same number of machines, you'll be done ten times faster.

obviously. but it's a lot easier to get people to let you run javascript in their browser than it is to get them to run a binary for you.

C is easily 10 times faster than Javscript. Add to that the fact that you really can't schedule more than 5% of the CPU time without starting to bog down the browser*. Add to that overhead from setInterval and the browser's internal workings and that's more like 1% effective CPU. So if you have 100,000 systems running your code in their browsers, it really only amounts to 100 systems running the equivalent C code (using the operating system for task priority handling instead of the browser).

* Javascript code is supposed to be some quick event handler like stuff, so browsers run it in a stop-the-world fashion, assuming it will be done shortly.

... unless you suggest doing it without the web site visitors' knowledge, in which case you're a CPU cycle robbing douchebag.

i use setInterval, so i'm not hogging the cpu and crippling the browser. it's only without their knowledge if they have no idea at all what they're doing. their browser requests the javascript file. the server it's hosted on dutifully replies with the requested resource. anything that happens after that is entirely up to them.

It's a matter of abused trust. People let you run javascript on your website assuming you will use it responsibly for adding functionality that's to their benefit. By using their CPU cycles for other purposes, you're abusing that trust. And someone abusing trust through some technicality is like the definition of a douchebag.

It's exactly this sort of thing that drives people to use noscript and it's ilk.

[hotaru]

People let you run javascript on your website assuming you will use it responsibly for adding functionality that's to their benefit.

apparently you don't understand how javascript in web pages works. i don't run the javascript in their browser. i just make it available. it's up to whoever is viewing the page whether to download it or not, and if they do download it, it's up to them whether to run it or not.

[You, sir, name?]

People let you run javascript on your website assuming you will use it responsibly for adding functionality that's to their benefit.

apparently you don't understand how javascript in web pages works. i don't run the javascript in their browser. i just make it available. it's up to whoever is viewing the page whether to download it or not, and if they do download it, it's up to them whether to run it or not.

Ah, so it's not secretly run in the background whenever someone visits the page, but an opt-in sort of deal?

[Xanthir]

And the code can be made to run in low priority, so that it doesn't compete with important processes or screw up system latency. The same can not be said for javascript. Intensive javascript code -will- cripple the browser, if not the entire system.

unless you use setInterval in a reasonable manner, so the browser has plenty of opportunities to do whatever it needs to do.

This will have you obliterating older systems and underusing newer systems. Besides, any sort of task scheduling done with setInterval is going to be performing poorly at best.

That's why they invented Workers, so you can explicitly offload your javascript computation to new threads and not tie up the browser.[/quote]

apparently you don't understand how javascript in web pages works. i don't run the javascript in their browser. i just make it available. it's up to whoever is viewing the page whether to download it or not, and if they do download it, it's up to them whether to run it or not.

...

...what?

[phillipsjk]

Hotaru: Is that sort of like how users have the "option" of downloading a graphic picture when they visit goat.se? (I did not make that a link on purpose: lynx (a text-only browser) confirms your are still presented with a file called "hello.jpg" (The name of the site was provided for reference only. You DON'T need to visit.))

Not everyone knows the difference between their web-browser and their OS; never mind the difference between JavaScript, Flash, and syle sheets (all of which can but used for drop-down menus).

[hotaru]

Ah, so it's not secretly run in the background whenever someone visits the page, but an opt-in sort of deal?

all javascript is. to run it, you have to be using a browser that supports javascript, and things like chrome's content filters, adblock, and noscript have to be set to allow it.

Hotaru: Is that sort of like how users have the "option" of downloading a graphic picture when they visit goat.se? (I did not make that a link on purpose: lynx (a text-only browser) confirms your are still presented with a file called "hello.jpg" (The name of the site was provided for reference only. You DON'T need to visit.))

yes. when i visit that site, all i see is a blank page. hello.jpg is not downloaded.

Not everyone knows the difference between their web-browser and their OS; never mind the difference between JavaScript, Flash, and syle sheets (all of which can but used for drop-down menus).

they should either learn the difference or get off the internet. you don't think we should let people who don't know the difference between a road and a sidewalk drive on sidewalks, do you?

[You, sir, name?]

Ah, so it's not secretly run in the background whenever someone visits the page, but an opt-in sort of deal?

all javascript is. to run it, you have to be using a browser that supports javascript, and things like chrome's content filters, adblock, and noscript have to be set to allow it.

Which brings us back to

It's a matter of abused trust. People let you run javascript on your website assuming you will use it responsibly for adding functionality that's to their benefit. By using their CPU cycles for other purposes, you're abusing that trust. And someone abusing trust through some technicality is like the definition of a douchebag.

[phillipsjk]

yes. when i visit that site, all i see is a blank page. hello.jpg is not downloaded.

I didn't know you could block images on a per-site basic (With Firefox) Learn something new every day! I was going to call "bullshit" because the image has "alt" text, but that is not displayed either.

Not everyone knows the difference between their web-browser and their OS; never mind the difference between JavaScript, Flash, and syle sheets (all of which can but used for drop-down menus).

they should either learn the difference or get off the internet. you don't think we should let people who don't know the difference between a road and a sidewalk drive on sidewalks, do you?

I don't think the typical user can be expected to know the difference if the Default OS tries to hide that distinction as much as possible. Starting with Windows 98, Internet Explorer was explicitly tied to the OS in an attempt to get around an anti-trust lawsuit over browser bundling. Businesses are still struggling with "Web-based" programs that are in reality deeply tied to Internet Explorer 6 (and by extension, WindowsXP (via ActiveX controls)).

[ZeroSkulleton]

The most evil tag is </b>. Because its 1 character away from </b/>.

[MoD]

Google abuses iframes so much. It makes me hurt inside.

[userxp]

I'm sorry to revive such an old thread, but I noticed that nobody here seems to know about the <plaintext> tag. Try it. I'm surprised browsers still implement that.

[Xanthir]

Well, it's an invalid tag, but since there are (very old) pages out there that rely on it, HTML defines how to handle it.

A more fun (old and invalid) tag is <xmp> - it's like a combination of <pre> and <plaintext>. Everything between an <xmp> tag and the following </xmp> tag is interpreted as plain text.

(The <plaintext> tag, in contrast, denotes that the rest of the page is plain text. There is no end tag, because plain text doesn't have tags.)

[Steax]

<plaintext> has been depreciated since HTML 3.5 or something, and was totally removed in HTML 4. That's 12 years ago... So yeah. I can imagine a use for it in the days where you couldn't pass a text MIME type to get the browser to render it as text... or something.

[Xanthir]

Note, though, that while <plaintext> is invalid, HTML5 still defines what to do with it when you find it. In particular, go here and search for "plaintext".

[woddfellow2]

I voted for <bgsound />. I dislike any non-standard element. I dislike <marquee /> more than <blink />, due to the former originating from Micro$oft... The latter at least has the saving grace of originating from Netscape.

[lynkyn]

I'm voting for <bgsound>. It was about 3/5ths of what was wrong with the internet that took until 2008 to repair. I'm guilty of the occasional <center>, but if the page is permanent enough that I have a CSS file, I'll use CSS for alignments.

[lynkyn]

The most evil tag is </b>. Because its 1 character away from </b/>.

And <strong> is usually better, but that too

[astrekmaster]

I voted for <blink>, because it's only purpose seems to be YOU'VE WON A NEW IPAD! CLICK HERE!!!! Well, as far as I can tell, at least.

The other evil one is the HTML5 pointerlock , which I could see advertisers abusing.