Microsoft initially participated in the standards process and implemented some proposals in its JScript language, but eventually it stopped collaborating on Ecma work. Thus ECMAScript 4 was mothballed.

In July 2008, these disparate parties came together for a conference in Oslo. This led to the eventual agreement in early 2009 to combine all relevant work and drive the language forward. The result was the ECMAScript 5 standard, released in December 2009.

The following features are common to all conforming ECMAScript implementations unless explicitly specified otherwise.

Prototypal inheritance in JavaScript is described by Douglas Crockford as:

Historically, some JavaScript engines supported these non-standard features:

// Declares a function-scoped variable named `x`, and implicitly assigns the// special value `undefined` to it. Variables without value are automatically// Declares a block-scoped variable named `y`, and implicitly sets it to// Declares a block-scoped, un-reassignable variable named `z`, and sets it to// a string literal. The `const` keyword was also introduced in ECMAScript 2015,// The keyword `const` means constant, hence the variable cannot be reassigned// Declares a global-scoped variable and assigns 3. This is generally considered// Declares a variable named `myNumber`, and assigns a number literal (the value// Reassigns `myNumber`, setting it to a string literal (the value `"foo"`).// This is frowned upon, as it can overwrite the document if the document is fully loaded.// Elements can be made too. First, they have to be created in the DOM.// Elements can be imperatively grabbed with querySelector for one element, or querySelectorAll for multiple elements that can be loopped with forEach//checking the argument for legitimacy. Factorial is defined for positive integers. will be rounded to the closest integer. For non-integers consider using gamma function instead.`//The above checks need not be repeated in the recursion, hence defining the actual recursive part separately below.//The following line is a function expression to recursively compute the factorial. It uses the arrow syntax introduced in ES6.

This example shows that, in JavaScript, function closures capture their non-local variables by reference.

Arrow functions were first introduced in 6th Edition - ECMAScript 2015. They shorten the syntax for writing functions in JavaScript. Arrow functions are anonymous, so a variable is needed to refer to them in order to invoke them after their creation, unless surrounded by parenthesis and executed immediately.

// If there are no braces, the arrow function simply returns the expression// If an arrow function has only one parameter, the parentheses can be removed.// An arrow function, like other function definitions, can be executed in the same statement as they are created.// This is useful when writing libraries to avoid filling the global scope, and for closures.

Immediately-invoked function expressions are often used to create closures. Closures allow gathering properties and methods in a namespace and making some of them private:

// when reassigning a prototype, set the constructor property appropriately// so that this.gcd refers to this "redefinition" instead of LCMCalculator.prototype.gcd.// Note that this leads to a wrong result if the LCMCalculator object members "a" and/or "b" are altered afterwards.)// Object property names can be specified by strings delimited by double (") or single (') quotes.// Variable names do not collide with object properties, e.g., |lcm| is not |this.lcm|.// Using both es6 template literals and the (+) operator to concatenate values// Define generic output function; this implementation only works for Web browsers// They are used here to demonstrate JavaScript's inherent functional nature.// sort with this comparative function; => is a shorthand form of a function, called "arrow function"
LCMCalculator: a = 28, b = 56, gcd = 28, lcm = 56
LCMCalculator: a = 21, b = 56, gcd = 7, lcm = 168
LCMCalculator: a = 25, b = 55, gcd = 5, lcm = 275
LCMCalculator: a = 22, b = 58, gcd = 2, lcm = 638

Content Security Policy is the main intended method of ensuring that only trusted code is executed on a Web page.

Some browsers include partial protection against reflected XSS attacks, in which the attacker provides a URL including malicious script. However, even users of those browsers are vulnerable to other XSS attacks, such as those where the malicious code is stored in a database. Only correct design of Web applications on the server-side can fully prevent XSS.

Another cross-site vulnerability is cross-site request forgery (CSRF). In CSRF, code on an attacker's site tricks the victim's browser into taking actions the user did not intend at a target site (like transferring money at a bank). When target sites rely solely on cookies for request authentication, requests originating from code on the attacker's site can carry the same valid login credentials of the initiating user. In general, the solution to CSRF is to require an authentication value in a hidden form field, and not only in the cookies, to authenticate any request that might have lasting effects. Checking the HTTP Referrer header can also help.

Developers of client-server applications must recognize that untrusted clients may be under the control of attackers. The application author cannot assume that their JavaScript code will run as intended (or at all) because any secret embedded in the code could be extracted by a determined adversary. Some implications are:

Web browsers are capable of running JavaScript outside the sandbox, with the privileges necessary to, for example, create or delete files. Such privileges are not intended to be granted to code from the Web.

JSON, or JavaScript Object Notation, is a general-purpose data interchange format that is defined as a subset of JavaScript's object literal syntax.