Slashdot Mirror
Five AJAX Frameworks Reviewed
prostoalex writes "Dr. Dobb's Journal reviews 5 AJAX frameworks: Dojo 0.3.1, Prototype and Scriptaculous 1.4, Direct Web Reporting 1.0, Yahoo! User Interface Library 0.11.1 and Google Web Toolkit 1.0. Each framework was tested in two basic scenarios — writing a 'hub' (titled collapsible link list frequently seen on sidebars of many Web sites) and a 'tab panel' (horizontal tabbed navigation bar). During the process, Dr. Dobb's Journal reviewers noted that 'Dojo provides more features and HTML widgets than YUI and Prototype' but eventually 'settled on the Yahoo! User Interface Library.'"
what about mootools?
Website Hosting
Am I the only one who usually finds frameworks to be pointless for serious web development? It's not that they're necessarily bad, but that they pack in dozens of features that you don't necessarily need (potentially bloating the size of your page download by tens to hundreds of K)[...]
So write a script to remove all the unused functions. At least thats how we do it were I work.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
This sounds like the classic Framework versus Library debate. Some good reading:
0 5-May/000231.html
l .3.219431.12
0 6/07/frameworks_vs_l.html
The Dojo mailing list thread "dojo: framework vs library"
http://dojotoolkit.org/pipermail/dojo-interest/20
Joel Spolsky's "Why I Hate Frameworks"
http://discuss.joelonsoftware.com/default.asp?joe
Arnon Rotem-Gal-Oz's "Frameworks vs. Libraries"
http://www.ddj.com/blog/architectblog/archives/20
That being said, there are plenty of features in Prototype which are more library-like than framework-like, so it is easy to use parts of it without buying into a whole framework methodology. I don't know much about the other evaluated tools.
It takes the magical $() selectors of prototype, expands on them, and somehow delivers it all in 19k.
is jQuery and it's plugins.
I'm Alex Russell, Project Lead for Dojo,
We're obviously flattered that our little project got covered in DDJ, couldn't they have reviewed newer versions of the tools they covered?
Dojo: defanging browsers so you don't have to
Something I also missed was xajax. They use AJAX as RPC layer, calling a server-side method from JavaScript, and in reverse call methods on the clients back. This is easy to implement in existing pages, and leaves much room for implementation.
Instead of parsing data structures in the client, xajax allows you to send HTML chunks, JavaScript method calls and DOM operations back (making it two-way RPC). The most interesting part is you can reuse all server-side code created in the "web 1.0" days, like HTML template engines. :-)
The best way to accelerate a windows server is by 9.81 m/s2
Well, Fortify Software Security Research Group (which I am part of) has recently released a report ( http://it.slashdot.org/article.pl?sid=07/04/02/111 3242 ), where we discuss the new type of vulnerability we named JavaScript Hijacking.
p ublic/JavaScript_Hijacking.pdf .
e leased ) have been recently released, and do contain fixes that prevent JavaScript Hijacking.
We believe that JavaScript Hijacking is the only type of vulnerability found so far applicable only to Ajax applications. We've also analyzed 12 most widely used Ajax frameworks (DWR, GWT, Microsoft "Atlas", xajax, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, Rico, and MochiKit) and determined that all the frameworks that use JSON and/or JavaScript for transferring data (except for DWR 2.0 which was not released at the time) are vulnerable to JavaScript Hijacking.
To summarize, the vulnerability allows an unauthorized party to read confidential data contained in JavaScript messages. The attack works by using a tag to circumvent the Same Origin Policy enforced by Web browsers. Traditional Web applications are not vulnerable because they do not use JavaScript as a data transport mechanism.
Complete report is available here: http://www.fortifysoftware.com/servlet/downloads/
As a side note, DWR 2.0 ( http://getahead.org/dwr/ ) and Prototype 1.5.1 ( http://prototypejs.org/2007/5/1/prototype-1-5-1-r
Dojo is nice if you want widgets (month selector/accordian/...) but the documentation is rather weak. Personally I like JQuery, good docs and everything in 1 rather small file.
"jQuery is a fast, concise, JavaScript Library that simplifies how you traverse HTML documents, handle events, perform animations, and add Ajax interactions to your web pages. jQuery is designed to change the way that you write JavaScript." - jQuery homepage
jQuery is great because it's really small and really easy to use. I know very little about js and have absolutely no interest in learning all the gotchas related to cross-browser js development so I leave it to jQuery to do that for me. jQuery allows me to use js in a powerful way, easily and quickly.
It's disappointing to not see jQuery in that list as if to say it's any less well made than the others.
The name of the software is Direct Web Remoting
How can we take this seriously if they don't know the name of the software they are evaluating?
WTF - this article might as well have been written last summer. DWR version 2.0 is now out and has been in beta for a while.
./ post are incorrect.
The 'R' in DWR does not stand for for Reporting, but rather "Remoting". Both TFA and the
Microsoft got sued by a patent troll. Like it or not, MS were the good guys in this particular case, and aren't intentionally screwing anybody. Microsoft is trying to do the smart (and decent) thing by starving Eolas of future revenue. Microsoft and its deep pockets "took one for the team".
Browser inconsistencies
This is the most obvious one, but only the entry to the rabbit hole. If you are not familiar with the example (maybe not exactly the same, but any AJAX web developer worth his salt should have seen one like that) I give below, then please, PLEASE, do yourself, your fellow developers and your users a favor, resist the urge to hack things together for once, use a mature AJAX framework.
An important part of AJAX is that you need to update what is displayed on the web browser in the client side (by JavaScript), without refreshing the page. This implies that you're very likely to have to create and destroy DOM nodes on the fly. Now, how do you create a radio button in JavaScript?
How about...
That's what you would do if you follow the DOM standard. But sorry, this does not work. Try to create a radio button with the above code segment in Internet Explorer 6, you'll get a broken radio button - you can't select it. The correct way to create a radio button by DOM manipulation is described in this MSDN article:
Memory leaks
The last one was easy. Do you know you can make a web application that leaks memory like a sieve in Internet Explorer 6 by making a simple circular reference like the following one?
If you're a good programmer, I might have sounded an alarm in your head right now - any circular references involving DOM nodes in IE6 results in memory leaks that persist after URL changes or page refreshes - unless you use an AJAX toolkit that takes care of the issue for you. Have you assigned a DOM as an attribute value under another DOM node in the past? Yes? Then you'd better check your web application for memory leaks with Drip, now.
What's more, it's not just assigning DOM nodes as attributes that would result in memory leaks, closures in JavaScript can also form circular references and cause memory leaks. What makes closures particularly dangerous is that circular references with closures are not easy to spot. For example, the following code segment leaks:
Looks innocent enough, but you've already formed a leaky circular reference here. node->clickHandler->node.
For more information about memory leaks under IE6, read these:
Mihai Bazon's blog entry
MSDN's lengthy and confusing description of the problem
The XMLHttpRequest object is not as simple as you think
Much of the magic of AJAX comes from the XMLHttpRequest object (or its ActiveX equivalent, or an iframe, etc.), right? Sure. If you're only doing something simple via AJAX (like, updating the server time), then you can just copy an XMLHttpRequest code snippet from sites like this and hack away, right?