James Wiseman

JSLint flags any use of the eval statement with the message eval is evil. This is because eval is a hook right into the JavaScript compiler. It accepts a string as a parameter and then compiles it and runs it.

Further resources on the evils of eval are available through the above link. Here we are more interested in how document.write can equate to eval

So how can document.write possibly equate to being the same? Well, we can demonstrate this with a simple example. You’ll need to set up an HTML page and a JS File with the following code:

HTML File

<script src="a.js" type="text/javascript"></script>

JS File

document.write('<script type="text/javascript">alert(1 + 2);</script>');
alert(eval(1+2));

Or alternatively, download them from my sample: document.write.eval.zip

What happens when you run it? Well, you get “3″ output twice.

The JavaScript compiler picks up the first line, and writes out some more JavaScript, which itself has to be executed and fed back into a compiler. So, in effect, we have a line of JavaScript that is responsible for invoking the compiler again. This first line is sending 1+2 to the compiler to be evaluated.

This is pretty much identical to what is happening with eval(1+2) in our second line.

Of course, the above works because we have separated out our HTML and JS. What if we had it all in a single HTML page. Something like

<script src="a.js" type="text/javascript">
   document.write('<script type="text/javascript">alert(1 + 2);</script>');
</script>

When document.write outputs , it closes the original script tag on the first line. We are then left with a hanging ‘); that is output to the browser and an orphaned closing script tag.

This may not be eval, but it is certainly evil.

So, there we have it document.write can be a form of eval. But it doesn’t have to be eval to be evil. It should, therefore, be avoided.

We can, of course, turn this up simply by turning on the ‘evil’ JSLint option, like so:

/*jslint evil: true */

Thanks to the wisdom of StackOverflow for helping answering this: JSLint “document.write can be a form of eval” – How is this so?

A Guide To JSLint Messages

This article is one of a series on the error and warning messages produced by JSLint.

DO NOT REPLY EITHER WAY – THIS IS A SCAM

With my original debt settlement order spam text message post having gained significant velocity in the blogosphere, I thought it worth posting here with regard to a subtle change of tack for the spammers with this new message:

The government has introduced a Debt Relief Order. People struggling to pay bills can have debt wiped off for ever. For more info text INFO. To stop text STOP

This is hardly surprising. A search for Debt Settlement order in google at the time of writing yielded the above post with the text ‘DO NOT REPLY EITHER WAY – THIS IS A SCAM’, whereas, a search for Debt Relief Order revealed no such indication.

For now, all the info regarding this is on the above link.

Feel free to post any numbers and variants below. It’ll all help keep this prominent and prevent others from falling into the same trap.

Are You a Victim?

Screenchannel Television is making a new series about debt and loans and are looking for people to share their experiences. If have been a victim of this scam, or have even considered responding and are interested in taking part, then you can read more in this article.

The Chainsaw-Severed Arm Counter-Scam

This is part of my blog series that started with the receipt of a debt settlement order spam text message.

Image by Odalaigh via Flickr

I decided to take the plunge and respond to a couple of these spam/scam text messages to see what response I got.

Within about an hour I received a call from an anonymous number, so took a deep breath and pressed the answer button. I was greeted by a lady at the opposite end of the line. I didn’t have access to recording facilities, so you’ll just have to make do with the transcript below:

Operator: “Hello, I am calling from Affiliate Data Systems regarding your recent accident.”

Me: “Yes, sorry, what was your name”

Operator: “Affiliate Data Systems”

Me: Sorry Did you say “Affiliate Data Systems” (I’m writing this down)

Operator: “Yes”

Me: “Right, yes, I’ve just recently cut my arm off with a chainsaw.”

Operator: “Really?”

(Of course, she was calling regarding my recent accident, so she should have known this)

Me: “Yes, it’s a pain, because its my right arm that is severed, and I’m right-handed”

Operator: “Right, well, can I take some details. What is your first name?”

(Note, she didn’t ask me why I was using the chainsaw with my left hand if I was right handed).

Me: “Hugh”

Operator: “And your second name?”

Me: “Jars. My name is Hugh Jars”

(I’m resisting the very acute temptation to snigger at this point)

Operator: “Right, Mr Jars, and what is your postcode”

Me: [Made something up]

Operator: “That doesn’t seem to exist”

Me: “That’s probably because I built it myself – that’s how my arm ended up getting severed”

Operator (ignoring me): “OK, what is your house number?”

Me: 2786

(Operator decides she’s had enough at this point and hangs up!)

Great fun, great fun! Especially hearing the surprise of the woman when hearing about the chainsaw accident.

Others are welcome to try the same!

You can read more on this in my blog series on text message nuisances.

Why Bother?

JSLint contains a number of messages pertaining to the style, appearance and formatting of JavaScript code. This includes stipulations about bracing positions, indentation and spacing.

As a demonstration of this paste the following into http://jslint.com/

var x = 0;
switch(x){
    case 1:
        x++;
        break;
    case 2:
        x--;
        break;
    default:
        break;
}

Zero errors, right? Now click the flag ‘Strict white space’ (‘white’) and recheck…

Yikes! 10 errors (at the time of writing)!

So why should JSLint possibly care what your code looks like? After all, it’s all about bugs, isn’t it?

Well, on the surface, legible code equates to more maintainable code, which itself equates less ambiguity and fewer bugs. But you may have your own internal guidelines that dictate how the JavaScript looks, i.e. how you indent, where you put your braces, etc. So you will have probably flipped the ‘white’ flag to ‘off’. After all, when given the above code snippet, JSLint returns a substantial amount of what you consider to be ‘noise’, which if no use to you. Right?

However in turning this option off, you are missing the opportunity to have a uniform and consistent convention across your code base, and a tool that can tell you where you are deviating from it.

But sometimes, formatting and positioning does have functional implication as well, and can lead itself to bugs. Consider the following code:

function GetObjectLiteral()
{
    return
   {
       x:0,
       y:1
   };
}
alert(GetObjectLiteral().x); //what do you expect?

Regardless of what you expect the above to return, what you will not get is an alert box with the text ’0′. Different browsers may behave differently. IE8 complains about a missing semi-colon, whilst others will simply execute the ‘return’, passing control back to the calling function, and then fail to find the member ‘a’

Changing the bracing position fixes the code:

function GetObjectLiteral(){
    return{
       x:0,
       y:1
   };
}
alert(GetObjectLiteral().x); //alerts '0'

The Messages

So, let’s have a look at some of these messages…

Expected ‘{a}’ at column {b}, not column {c}.

This is a simple case of incorrect indentation. The most basic demonstration of this can be seen in following code snippet:

var a = 0;
  var b = 0; //Problem at line 2 character 3: Expected 'var' at column 1, not column 3

Expected ‘{a}’ to have an indentation of {b} instead of {c}.

This is another indentation catch. The default indentation step is 4, meaning that indentation columns should start at positions 1, 5, 9, 13, 17, etc. The sample below uses an indent of 5 spaces, placing the start of the new column at character 6 (as the message denotes).

function MyFunc() {
     alert("hello"); //Problem at line 2 character 6: Expected 'alert' at column 5, not column 6.
//3456789
}

Expected exactly one space between ‘{a}’ and ‘{b}’.

This message goes some way to supporting JSLint’s assertion of correct bracing positions. You will see this message generated on the following code snippet.

if (x === 0)
{  //brace on next line
    alert("hello");
}

But even when you do place the brace on the correct line, JSLint requires you to apply the correct spacing. So, the following code snippets will also yield this message:

if (x === 0){ //no spaces
    alert("hello");
}

if (x === 0)  {//two spaces
    alert("hello");
}

Missing space between ‘{a}’ and ‘{b}’.

Haveyoutriedreadingsentencesthathavetheirspacesomitted? Generally, it’s not that easy, is it?

if (x === 0){    //Missing space between ')' and '{'
    alert("hello");
}

Mixed spaces and tabs.

This message is displayed when a line is indented with a mixture of spaces and tabs. Most IDEs will have an option to convert tabs into spaces automatically. I suggest you turn this on.

Unexpected space between ‘{a}’ and ‘{b}’

Here, JSLint is reporting that you have included a space where it did not expect one. The following code snippet will yield this message:

if ( x === 0){  //Unexpected space between '(' and 'x'
    alert("hello");
}

A Guide To JSLint Messages

This article is one of a series on the error and warning messages produced by JSLint.

JSlint may just occasionally save you from yourself.

The following code is clearly nonsense. The clause will never evaluate to true, and your alert will never be shown:

if (1 === 0) {
    alert("hello");
}

But you’ll also get the JSLint message where the clause does evaluate to true:

if (1 === 1) {
    alert("hello");
}

In general, this message will appear when both sides of the clause are literal values or if they are identical, for example:

if (myVar === myVar) {
    alert("hello");
}

We are not just limited to ‘if’ clauses, either. ‘while’ tests will also yield this error.

A Guide To JSLint Messages

This article is one of a series on the error and warning messages produced by JSLint.

In a JavaScript ‘switch’ block, JSLint expects every ‘case’ statement to be broken with a ‘default’ keyword.

So, the following code sample will fail:

var x = 0;
switch(x){
    case 1:
        x++;
        //where's the 'break;'?
        //so, 'fall through'
    case 2:
        x--;
        break;
    default:
        break;
}

In this sample, after evaluating ‘true’ for ‘case 1′ and executing the adjacent code, the interpreter will ‘fallthrough‘ to the next clause and test that. In the above code the next clause will evaluate false, so there is not a problem.

Many consider this an advantageous language feature. Consider the scenario where you want to execute the same code under two different circumstances (i.e. implement an ‘or’ equivalent). For example:

var x = 0;
switch(x){
    case 1: //fallthrough
    case 2:
        x--;
        break;
    default:
        break;
}

Douglas Crockford, however considers this to be a little too tricky. In his book ‘JavaScript: the good parts’, he mentions this:

I want to avoid idioms that look like mistakes.

I never allow switch cases to fall through to the next case. I once found a bug in my code caused by an unintended fall though…

He goes on to explain that language features that are sometimes useful, but occasionally dangerous are probably best avoided as it can be difficult for a developer/reviewer/maintainer to differentiate its use from a bug.

A Guide To JSLint Messages

This article is one of a series on the error and warning messages produced by JSLint.

This one is fairly self-explanatory, so I’m not going to waste too much time on it.

In short, your switch statements really ought to have a ‘case’ statement. Otherwise they are really just pointless, empty blocks. Take the following:

var x = 0;
switch(x){
    default:
        break;
}

It’s hardly surprising that JSLint is going to complain about this.

The ‘why’ here should be obvious. Clearly you have some redundant code that should be removed or have omitted a chunk for functionality.

A Guide To JSLint Messages

This article is one of a series on the error and warning messages produced by JSLint.

DO NOT REPLY EITHER WAY – THIS IS A SCAM

This is another spam text message in the same vein as the Debt Settlement Order Unsolicited Text Message that I wrote about in January earlier this year.

I received this a few days ago from 07581497874 / +447581497874.

You will almost certainly have a different number. Feel free to post it below, and follow the instructions below for reporting.

And here is it:

Are you looking for aloan up to 15k. No guarantor. Same day payout. Bad Credit OK. Completely online. Visit www.getaloanfast.co.uk To opt-out reply stop

Searching around there are other variants:

Your loan has been approved for up to 15K  No guarantor. Same day payout. Bad Credit OK. Completely online.

This is the first text where the name of the company (Getaloanfast.co.uk) are featured. I have deliberately not linked to their website but you can, of course visit at your own leisure through the wonders of copy/paste. Monsters wont emerge forth from your monitor and destroy the universe. No physical harm will become you, however I really wouldn’t bother. I was going to include a screenshot, but there’s a sneaky copyright at the bottom, so i thought I’d play it safe.

Let’s look carefully at the APR. Apparently, the ‘typical’ rate is 17.9%. The word ‘typical’ is particularly valid here. Essentialliy, it means that they would expect to give 66% (nearly two-thirds) of their customers a loan at that rate. Here are a couple of links with more details on ‘Typical APR’ if you are interested:

• The difference between APR Variable and APR Typical
• Understanding Typical APRs

But this advertised rate is very misleading, because when you go through the loan application process you are not actually offered a loan from GetALoanFast.co.uk at all. So, you can kiss goodbye to that 17.9% right away!

In fact, the parent company that underpins this operation does its best obfuscate its actual identity and actual interest rate until the very last stage in the process. And even then you are left a little unsure. Let’s have a look at this:

What Happens When You ‘Apply’?

So, let’s take an imaginary customer, Dr William T Conqueror, who wants to take out a 15K loan as they suggest. William, 35, is married, and is super-rich. He has a house valued at ten-million pounds with no mortgage and a monthly income of one million pounds. He has an impeccable credit history and wants the loan over sixty months for some home improvements.

We’re forced to enter a phone number, so I use the one above (i.e. the one that supposedly sent me the message in the first place). We go through the screens to get a quote. We are happily informed:

We are now matching your details with over 251 lenders to find you the best quotation possible, this will only take a few seconds……

251 companies? Wow! And then:

Loan Found

Great news, one of our approved partners has found you a loan.

This can all be done online and to save you time we have already pre-populated your details to their online portal ready for completion.

Horay! So we are taken to the next page, and we’re not on the GetALoanFast.co.uk site anymore. Instead we are at ‘loanfinder.co.uk’. So, GetALoanFast may offer 17.9% APR, but it doesn’t appear possible to obtain a loan from them at all.

Rather than the originally touted 251 companies, we now appear to have ‘searched’ through 292! And what is the APR the ‘selected’ company is offering  our  zero-risk multi-millionaire doctor and lord of the manor?

53.9 %APR Representative

53.9%!!! According to Guardian Newspaper Loan Repayment Calculator, over 60 months we would end up paying back £28,544.10 . That’s nearly double!

So, what of LoanFinder.co.uk? Well, they are a bit hard to pin down:

• It uses GetALoanFast.co.uk as a front to make it appear that if offers a 17.9% APR
• Loanfinder is a trading name of Post Net Ltd
• Loanfinder is part of the Richmond Group of companies

Eh? So who are they then? It could be one of four different companies!

I would consider any company are willing to resort to spamming thousands of phones in order to drum up business, to be of extremely questionable and dubious repute. By seemingly attempting to ‘cloak’ their identity, they reduce my opinion of their rectitude yet further.

I would rather gnaw my own arm off then get a loan with this company.

And then I look even further. When searching in Google for LoanFinder.co.uk scam I get a whopping 36,000 results. Top of a list is an entire site dedicated to this – Loanfinderukscam.co.uk. Take a look further. The author is of now doubt that this is a scamming operation, although, does publish a response from them on HubPages.com.

Spam is widely regarded as being unethical. The methods by which the spam text message reaches your phone is cloaked in deceit and trickery (see my article Telephony Leads and Debt Management Companies – How It Works) and the cumulative cost to the spam recipients is greater than the cost to the spammer themself.

Consider the following other products that are marketing by spam, that we have become more hardened to:

• Viagra
• Diet Pills
• Other pharmaceuticals
• Fake College Degrees

Most people wouldn’t dream of paying these items even a second glance, so why not treat EVERY company that does this the same way, regardless of the medium (Email, Text Messages, Telephone Calls, Post, etc).

Are You a Victim?

Screenchannel Television is making a new series about debt and loans and are looking for people to share their experiences. If have been a victim of this scam, or have even considered responding and are interested in taking part, then you can read more in this article.

Reporting

Back in May 2009, the Guardian newspaper wrote an article Spam to go – the new mobile menace. It recommends a number of organisations you can contact.

To complain about an inappropriate text, call the Advertising Standards Authority 020 7492 2222 or go to www.asa.org.uk/asa/contact/

To resolve continual mobile spam despite texting “stop”, contact the ICO on 01625 54 57 45 or go to www.ico.gov.uk/complaints.aspx

For help with premium rate text spam, call PhonepayPlus on 0800 500 212 or log on to www.phonepayplus.org.uk/output/Make-a-complaint.aspx

You may be report these messages to your provider. The following links may help:

Vodafone – How do I report spam text messages? Forward the spam message to VSPAM (87726).

Orange – Stop spam text messages. If you are on Orange and get spam messages, please forward them to 7726 free from your Orange phone. By doing this you are helping Orange to collate information to help reduce spam messages being sent to you and others.

02 also allow you to report on 7726. See: SPAM and unwanted subscription texts

I would also try forwarding the message onto 7726 if you are with T-Mobile or Three.

You can also try NumberCop and DoNotCall.gov

Leave Your Numbers

Again, post your numbers below. Some people may search just for that number, so if we can help others then all the better.