“Best course of action: disable scripting, but most of you can’t or don’t want to do that. The second best alternative might be to use extensions such as NoScript in Firefox that allows more selective control of who gets to do remote code execution in your browser.”
Remote code execution in your browser. Think about that. You have an antivirus solution scanning your files. You block email attachments, or you know better than to click on an attachment in email, or to run a .exe or .scr sent from strangers. But how comfortable are you that the web writers of all of the sites you visit (and the software they run, and the ads they host, and the feeds that supply their sites, and…) are running ‘safe’ code. Sadly, this is the whole assumption that AJAX can take over as the next-gen interface: trust of code that is not inspected in advance. Browser vendors will attempt to fix the problem by curtailing the functions the language can perform, but that only leads to reduced functionality. A general purpose language is like any tool: it can be used for good or evil. Putting a language in a “sandbox” where it can’t do things unsafe might just lead us back to Java, after a 10 year wander.