Microsoft Adds Support For JavaScript Functions in Excel

An anonymous reader shares a report: At the Build 2018 developer conference that's taking place these days in Seattle, USA, Microsoft announced support for custom JavaScript functions in Excel. What this means is that Excel users will be able to use JavaScript code to create a custom Excel formula that will appear in Excel's default formula database. Users will then be able to insert and call these formulas from within Excel spreadsheets, but have a JavaScript interpreter compute the spreadsheet data instead of Excel's native engine. "Office developers have been wanting to write JavaScript custom functions for many reasons," Microsoft says, "such as: (1) Calculate math operations, like whether a number is prime. (2) Bring information from the web, like a bank account balance. (3) Stream live data, like a stock price."

What could possibly go wrong?

[khandom08]

....

Re:What could possibly go wrong?

[bobstreo]

The worst?

  With the tight security model Microsoft (and intel) always holds, combined with the track record of Javascript, they sky is the limit!

Re:What could possibly go wrong?

[Gr8Apes]

My personal take is there weren't enough holes in Excel, so time to add a new holey framework implemented, of course, by the best MS could outsource.

Re:What could possibly go wrong?

[spywhere]

You beat me to it.

Re:What could possibly go wrong?

[NicknameUnavailable]

While Dante's inferno depicts several circles of Hell with the Devil in the center/bottom circle stuck in the floor being tortured for eternity - that's really not even the limit, there's another less well-known circle of Hell smack in the center: the Devil's colon. That is where this will go. That said, it's better than VBA.

Re:What could possibly go wrong?

Sooooo, this is how SkyNet begins...

Re: What could possibly go wrong?

Spectre will make this easy to scrape credentials and whatnot from memory.

Goes like this

1. Ransomware infected document makes its rounds in email.

2. Files encrypted, and credentials uploaded to the Internet.

3. Machines and Domain Controllers 0w3ned! Backups purged to prevent recovery.

4. The compromised organization folds, people lose their job.

5. Parents without income, children go hungry.

Re:What could possibly go wrong?

[Oswald+McWeany]

While Dante's inferno depicts several circles of Hell with the Devil in the center/bottom circle stuck in the floor being tortured for eternity - that's really not even the limit, there's another less well-known circle of Hell smack in the center: the Devil's colon. That is where this will go. That said, it's better than VBA.

It's barely better than VBA. JavaScript is (in the 21st Century) the equivalent of VBA in the 90's. Quick, crude, and unstructured; it's the "rabble" of languages.

Re:What could possibly go wrong?

[yuriklastalov]

Not only that, but it's still going to have to use the existing Office App data model which is half of why VBA is such a clusterfuck in the first place. Which is to say a bunch of bizarre COM bindings and related retardation.

Re:What could possibly go wrong?

[q_e_t]

If SkyNet is relying on JavaScript an attack on any one of five dozen servers it is downloading vital code from will defeat it.

Re: What could possibly go wrong?

[Gr8Apes]

Spectre will make this easy to scrape credentials and whatnot from memory.

I thought Daniel Craig took care of Spectre in a lackluster finale?

Re:What could possibly go wrong?

[Gr8Apes]

If SkyNet is relying on JavaScript an attack on any one of five dozen servers it is downloading vital code from will defeat it.

Nah, all that's needed is for one of those "developers" to get in snit and un-publish their version of the left-pad "library". SkyNet will promptly crash and refuse to run.

Re:What could possibly go wrong?

[Darinbob]

You forget, marketing is in charge of development. For every security bug patched, Microsoft marketing introduces new and exciting security holes to improve the user experience.

Re:What could possibly go wrong?

[DriveDog]

JavaScript is a hell of a lot better than VBA. There are no words for how bad is VBA.

Re:What could possibly go wrong?

[aberglas]

VBA is actually an excellent language, better than JavaScript. The main advantage is that it includes static typing which is a killer feature for larger programs. VBA has classes and properties and dynamic typing, only thing missing is closures which are rather esoteric. There are a few historical quirks in both languages.

End If is actually better than {}s, because the compiler can detect errors -- the {} approach was introduced in Algol 60, replaced with End If (actually Fi) in Algol 68 (1968). Most languages also saw the light and avoided {}s. But then C inflicted {}s back on the world. But that is probably the least bad thing about C. (The worst is counting from 0.)

But per my previous post, the big thing is that VBA runs in the server, JavaScript is client/server. Impossible for end users to use, which is the point of VBA.,

Re:What could possibly go wrong?

[KingBenny]

i will sue you for stealing my copyrighted first thought hah hah indeed what could possibly go wrong with that, then again, nothing risked nothing gained i suppose i didnt know excell was still "a thing" given the fact that you can like get oodles of functionality for free and only biiiiiiiig corp would need something that can do all that, and they can write their own ... but well, 'as slow the world turns i guess

I'm listening...

[MightyYar]

This could be good, if they handle errors well. If they use the same default "fail silently" practice as they do with VBA functions, then it will be just as dangerous as those are.

Re:I'm listening...

[ireallyhateslashdot]

....you expect Microsoft to do good? Of course errors will "fail silently". Garbage is as garbage does.

Re:I'm listening...

[slashdice]

You expect javascript microwave jockeys* to do good?

* because copy-pasta

Yes

[cascadingstylesheet]

The only thing better than VB in a spreadsheet is JavaScript. This is awesome.

Re:Yes

[jellomizer]

Which is at least an Open Standard Programming language. Which works on different OS's and hardware architecture. And designed to run relatively safely on your PC.
VB is a hold over the Bad Old days of Microsoft. Where to get the feature you needed the entire ecosystem. Even the long time Office for the Mac, didn't didn't support VBscript (or at least not completely)

The biggest issue I have, is people using Excel and Access as their programming environment, to try to bypass us egotistical developers and get a program running fast. Only to have it break a year down the line and get those egotistical developers digging in poorly written and designed system to make heads or tail on what went wrong.

Re:Yes

[110010001000]

How is JavaScript designed to run relatively safely on your PC?

Re:Yes

There is a huge group of computer-using professionals that live and breathe Excel.

They are not programmers. But they do have script-kiddie level of competence, which they use for making Excel formulas and macros.

These people are in love with Excel, and when they submit requirements for actual software development, they adamantly insist that the software accept Excel documents as input, and that everything the program does be controlled by Excel.

This creates terrible inefficiency, gobbles up memory, slows the system down, injects an endless stream of bugs and support issues, and lets utterly unqualified people inject code into complex systems with little-to-no insight as to what-all is going to break because of it. But if you try to convince them to allow you to implement some of that logic in a proper coding language, they flatly refuse.

So, of all the programming languages that are common in the industry, which one is most likely to be one that this class of user has encountered, tampered with, and prefers?

Of course javascript. One of the Internet's oldest mistakes, and one of the worlds most sloppy and dangerous tools, will be put into the hands of non-programmer power-users to use right in the center of complex mission-critical systems that directly impact things like....oh I dunno....large sums of money moving around.

The world is run by the wrong people.

Re:Yes

[Opportunist]

By turning it off.

Re:Yes

[Anne+Thwacks]

There is a huge group of computer-using professionals that live and breathe Excel.

You have had too much of that white powder - those are not computer professionals - they are either zombies or aliens.

Re:Yes

[jellomizer]

Being that JavaScript has been running on browsers for close to 20 years. While not 100% secure. It is designed to not to interact with your actual PC, just in the container it is designed to run it (the browser) we have been safe from a lot of the nonsense that Microsoft has exposed us to in the past, with VB Script and Active X controls.
The vulnerabilities in Javascript have been quickly fixed and isn't a flaw in the language but in the interpreter. While the Microsoft languages, where designed in era where the idea of having a program hosted on the internet directly write to your files was a good idea. And they cannot easily roll back those features, as there was some guy who uses the features daily.

Re:Yes

[110010001000]

What does this have to do with a browser? This is Excel. I can write a JS program that will erase your hard drive if I am running it in a shell.

Re: Yes

[cyber-vandal]

Feel free to post a link to the source

Re: Yes

[flink]

What does this have to do with a browser? This is Excel. I can write a JS program that will erase your hard drive if I am running it in a shell.

Feel free to post a link to the source

var fso = new ActiveXObject( "Scripting.FileSystemObject" );
fso.deleteFolder( "C:\\", true );

Re: Yes

[lgw]

pwnt

Re:Yes

[lgw]

These people are in love with Excel, and when they submit requirements for actual software development, they adamantly insist that the software accept Excel documents as input, and that everything the program does be controlled by Excel.

This creates terrible inefficiency, gobbles up memory, slows the system down, injects an endless stream of bugs and support issues, and lets utterly unqualified people inject code into complex systems with little-to-no insight as to what-all is going to break because of it. But if you try to convince them to allow you to implement some of that logic in a proper coding language, they flatly refuse.

Lo, I was beset by such ills, and I went to the mountaintop. Upon the mountaintop was a burning bush, and in a booming voice it spoke:

C S V

So it is written. So let it be done.

(Seriously, tell your Excel jockies the input format is CSV, or TSV, or whatever. As a bridge between Excel and real code, it's a gift from God. They can play to their hearts' content in Excel, but they have to give you plain data, and accept plain data from you.)

Re:Yes

[Darinbob]

"Your document is taking too long to load. Do you wish to cancel running the scripts or continue to wait?"

Re:Yes

[painandgreed]

There is a huge group of computer-using professionals that live and breathe Excel.

You have had too much of that white powder - those are not computer professionals - they are either zombies or aliens.

Worse. They're MBAs.

Re: Yes

[cyber-vandal]

So that isn't available in VBA already? What makes that more of a security hole in JS?

Re: Yes

[cyber-vandal]

I've been here a lot longer than you now fuck off.

Re:Yes

[Opportunist]

I didn't ask for permission. I assumed it, and if you happen to disagree, just drop me a note (that will curiously be eaten by the mail server).

Re:Yes

[gravewax]

I used to think the same way, but the reality is these are people IT has failed. They have a need and IT has repeatedly failed to deliver it to them over the years. Sure what they produce quality wise is absolute shit, but they produce it because that shit is better than the nothing you are delivering them. One of the constant thing I am fighting nowadays is the self entitled IT, they think IT is special and business must follow IT rather than understanding IT exists to provide the business with a service, this is especially prevalent in the public service.

Re: Yes

[flink]

So that isn't available in VBA already? What makes that more of a security hole in JS?

It's not a security hole in JS per se, and of course you can do exactly the same thing in VBA. But the statement was "This is Excel. I can write a JS program that will erase your hard drive if I am running it in a shell.", and you invited someone to post source backing that up, which I did.

The point, and I think we agree on this, is that no language, be it VB, JS, perl, or python, is inherently dangerous. It's all about the context in which they are run and the APIs they have access to. JS in the browser is relatively "safe" with respect to the host OS because we've had years of refining the browser sandbox model and APIs. However, JS in the browser can be tricky from both a privacy and a server application security perspective, which is why we have to guard against things like what information leaks out of browser APIs and cross-site request filtering.

I think it is likely that JS will just be have all the same COM bindings that JScript in WSH has available to it, in which case it will be just as dangerous to run untrusted JS macro code in Excel as it would be to run one written in VBA. If I am wrong and this feature will just implement JS as a limited functional language with very proscribed access to Excel numeric and cell data functions, then it could be quite safe.

Re:Yes

[Goglu]

... and then comes formatting issues: commas are use as decimal separators, dates are formatted in different was, depending on the desktop where the CSV or tab-separated file is generated, text values that look like numbers (item 00315) are stripped of leading zeroes.

Excel is a terrible data exchange source. That's it.

Re:Yes

[lgw]

Everything you just described is fundamental to receiving data from non-programmers. Excel isn't causing that problem, it's users are - and they'd be causing it regardless. But, hey, normalize your inputs and get on with life.

Re: Yes

[cyber-vandal]

Yeah I should think before I post really :)

Re: Yes

[cyber-vandal]

I'm salty because some bellend told me I don't belong here.

This will be used for mining

[xack]

One of the first “apps” for this will be yet another cryptocurrency miner that will be spread around an organization’s spreadsheets.

Re:Please, $DEITY, no

[mark-t]

It's my understanding that VB macros do not require source code to be distributed if it has already been compiled into byte code.

Presumably, one can vet the source code themselves if they are wary of third party code.

Theoretically, at least, javascript has a potential of being safer than VB in this regard.

JavaScript/Excel Type handling & Secutiry?

[mykepredko]

Personally, I think this capability could be extremely useful and should be pursued.

But, my first thought was to type handling - both environments largely handle data typing automagically and I would like to see how incompatible types are recognized and handled. I would worry about JavaScript's tendency to ignore failures and carry on as best it can without notifying the user as being a significant concern. For this reason, I would consider Python to be a better choice.

I wish in the TFA, when they reference getting web information using JavaScript, they didn't jump to getting a "bank account balance". That should strike terror in just about everyone - I'd be a bit more amenable if they used an example like getting the temperature in Tampa. It's not like Microsoft or JavaScript have been shown to be paragons of protecting user information and security.

Re:JavaScript/Excel Type handling & Secutiry?

[AvitarX]

I'm pretty excited because it seems like it will make it quite easy to use regex to filter.

Currently, I have to either use google sheets, or contort something that abuses functions to get some filters done.

Re:JavaScript/Excel Type handling & Secutiry?

[MightyYar]

Regex is already available in Excel through a reference to "Microsoft VBScript Regular Expressions 5.5".

Re:Please, $DEITY, no

[NicknameUnavailable]

The issue is Microsoft, not the language. VBA macros still exist, it's the managed environment running them that becomes the issue without regard to the language.

This is very very welcome...but...

[bogaboga]

Folks, I will have to say that this development is very welcome though what really saddens me is this: -

There's no Open Source Excel alternative that comes even close to what Excel can do.

To make matters worse, there's no [serious] effort to create anything capable.

Re:This is very very welcome...but...

[jandrese]

Which Excel features are missing from Openoffice Calc that are a showstopper for you?

Re:This is very very welcome...but...

Running existing Excel macros, Power Pivot, lots of chart types, external data sources, multithreading.

Re: This is very very welcome...but...

[MMC+Monster]

You want to see twitter feeds from Bloomberg and Reuters in your spreadsheet?

I'm pretty sure that's possible in LibreOffice. I've seen similar screen scraping macros. Of course, it's still probably the wrong tool for the job. :-(

Re:This is very very welcome...but...

[guruevi]

I think you shouldn't be using Excel at that point anymore. If your "data scientist" is using Excel, fire him, immediately.

Re:This is very very welcome...but...

[guruevi]

You must never have heard of SQL, Python, R, ...

Try opening an Excel sheet with 15,000 lines and applying a filter... (I just got one of those in my Inbox - 2MB Excel sheet, takes 2 minutes to re-render any changes on an 8-core i7 (Excel: using 16 threads... 4%)

Re: This is very very welcome...but...

[cyber-vandal]

What should you be using instead?

Re:This is very very welcome...but...

[140Mandak262Jamuna]

Have you seen the google sheets created by crowd sourced data?

There is one where people who booked Tesla Model 3 are entering data to predict info Tesla is not revealing, VIN, production rates, etc etc. 5000 people collaborative editing. Pictures, charts, rolling 21 day averages, historic charts predicting wait times for each color + wheel combination, and what not..

There is one used by Indian/Chinese H1B applicants tracking the reports of who got what when. I have not seen it, but it supposed to be over 10000 people collaboratively editing a shared spreadsheet.

If you want to accept a tool and use to its maximum potential there is a lot you can do without Excel.

But if you want to cling to your Excel skills and macros, as though they were wonderful gems, masterpieces of art that can never be recreated, and demand some free tool to mimic it 100% to *your* satisfaction, tough luck, buddy. You enjoy your Excel and you pay through your nose for it.

Re: This is very very welcome...but...

R, Python, Matlab, Mathematica, IGOR, IDL.......

Re:This is very very welcome...but...

[slack_justyb]

If your "data scientist" is using Excel, fire him, immediately.

I think that's a bit harsh. I've got a friend that, that is their job and it wasn't until a lot of crying and begging did they approve Python and R for install on the laptops. You've got to remember that sometimes you just have to work with the tools that upper management will allow.

I'm not suggesting that, that justifies anything, just that sometimes it's hard to get non-data folks to agree to thing, even free things.

Re:This is very very welcome...but...

[Christopher+Fritz]

The main one for me is tables. In LibreOffice Calc, I can give a range a name, and I can add an AutoFilter, and I can create my own total row, and I'm sure I can put together some kind of nice style for the table of data, with alternating row colors. In Excel, it's a one-click action. From there, I can also easily add a formula to a cell, and have to copy down to all rows. Each row has its own name, making formulas referring to cells within the table easier to read.

There have been other Excel niceties missing from OpenOffice/LibreOffice Calc that have slowly appeared over time, so I hesitate to point out anything else as it may have been resolved already. Tables are simply the one that stick out the most.

I don't use spreadsheets very often at home, but when I do, I typically find pain points in things that are quick and effortless do to in Excel. (I think I'm on Excel...2016? at work.) For my limited home use, I wouldn't call the lack of tables a showstopper, but it would be if I tried using something other than Excel at work.

Re:This is very very welcome...but...

[gravewax]

the point of many of those features is you don't need a data scientist to do it. The fact you do with CALC is a huge negative.

Re:This is very very welcome...but...

could you find any more a niche example to try and make sheets look good? We transitioned to google for our office suite 3 years ago, we are an organisation of around 500 staff. We are in the process now of transitioning to OFfice 365. Sheets is one of the primary reasons we are doing this, the lack of features just isn't worth the pain, sure you gain slightly better collaboration which in those .00001% of cases is great, but catering to such a niche scenario while ignoring the 99.9999% of cases where Office 365/Excel is better is just moronic.

Re:This is very very welcome...but...

[guruevi]

There are huge problems with using Excel for data analysis. Excel is an extremely bad tool with very bad precision, it can't even handle simple subtractions.

Set A1-A3 with a number that differs by the same value
A1:=21.123, A2:=22.246, A3:=23.369

B1:=A1-A2 = 1.123, B2:=A2-A3 = 1.123

Calculate B1-B2. You expect 0 yet you don't get 0, you get a value. And this isn't a new 'bug' this has been around since at least Excel 97.

There are various other problems that frequently crop up around rounding and formulas using the results of other formulas or sometimes certain cells have the wrong type set (eg. text instead of integer) causing it not to barf up an error but to simply treat the cell as the value 0. Also, anything to do with dates is just wrong with Excel because it has two types of dates, one counting from 1900, one counting from 1904... because.

Re:This is very very welcome...but...

[guruevi]

Depends on what you need to do, you need the right people for the job. If you need a programmer, you need a programmer, if you need an accountant or a lawyer, you don't just hire the janitor that used to work at a law firm in the hopes that he might have picked up some knowledge over time. Yeah, it makes perfect sense that if you're handling massive volumes of data, you have a data analyst that knows their stuff. Excel can barely even handle small bookkeeping without running into rounding errors and other weirdness.

Re:This is very very welcome...but...

[guruevi]

They do pivot tables and basic graphs, I don't think you know what you're talking about. But "just graphs" is not what we're talking about, the initial GP talked about power pivots, lots of charts, external data sources, macros etc. that is where Excel starts tripping up and many a business have made massive mistakes relying on Excel for those.

Re:This is very very welcome...but...

[jandrese]

I take it OpenOffice Data Pivots are insufficient?

Re:This is very very welcome...but...

[jandrese]

Excel macros are a bit of a minefield, but you can try enabling them in OpenOffice if you are feeling brave.

No, not JavaScript!

[null+etc.]

Good God, of all languages, why JavaScript? JavaScript is a terrible programming language! And its floating point math is bonkers, have you ever tried doing 0.1 * 0.2 in JavaScript, the answer is 0.020000000000000004! Can you imagine how main spreadsheet errors this will cause?

And JavaScript doesn't even have type safety! If Microsoft were smart, they would use a compiled programming language, like C, that you'd have to compile using a command-line compiler with a GPG-Key that you could inspect to avoid government MITM attacks! Now the government can get your tax spreadsheet information!

And, JavaScript is terrible because a lot of popular JavaScript frameworks have their own package managers! Can you imagine developers BLINDLY TRUSTING whatever package and whatever dependencies it has? Every developer should be forced to only use the OS package manager to install JavaScript libraries!

And, JavaScript is terrible because hundreds of programmers release hundreds of new packages every day, and they grow old and stale and now the JavaScript package ecosystem is older and staler and more crowded than the iOS app store ecosystem!

And, JavaScript is terrible because anyone can just pick it up and start playing with it, and they can write a web server in 15 minutes without even knowing about tail recursion or Monte Carlo cyclomatic complexity reduction! Script kiddies will start taking our jobs, and they don't even have to know how to covert an AST optimization into a stack heap implementation!

I hope that Microsoft realizes the error of their ways, and instead implement something like LISP as the programming language.

Re:No, not JavaScript!

[mark-t]

To be fair, javascript is no more unsafe than lisp is. What makes javascript unsafe is any vulnerability in auxiliary frameworks that are exposed to script writiers, none of which are part of the actual core language or standard frameork library.

Re:No, not JavaScript!

[Dan+East]

I'll sell you some. I heard Slashdot Mod Points are going for $3 a point.

Re:No, not JavaScript!

[Anne+Thwacks]

To be fair, javascript is no more unsafe than a cornered rat with rabies.

FTFY

Re:No, not JavaScript!

[mark-t]

Javascript, by itself, is about on par with safety as any other scripting language such as scheme or Lua. Any lack of safety lies entirely in what underlying operating system frameworks are exposed to the api of the script language by the language embedder. By default, there is nothing that stands out to my knowledge in the javascript core library that would be considered unsafe.

That said, I won't argue that there are a few characteristics of javascript that might make it undesirable as a programming language or even prone to certain types of programmer errors, especially with newcomers, but they do not make the language particularly unsafe to use.

Re:No, not JavaScript!

[DavidHumus]

> ...0.1 * 0.2 in JavaScript, the answer is 0.020000000000000004!

That's called floating point arithmetic. It has nothing to do with the language.

Re:No, not JavaScript!

[jaa101]

have you ever tried doing 0.1 * 0.2 in JavaScript, the answer is 0.020000000000000004! Can you imagine how main spreadsheet errors this will cause?

You appear to be ignorant of the way floating point numbers work. This is not a feature of JavaScript, but of the CPU in your computer. Try entering "=0.1*0.2" in an Excel cell and then turn up the format to 20 digits of precision. I'm not saying that JavaScript is good, but using this as your first example of how bad it is doesn't help your credibility.

Re:No, not JavaScript!

[munch117]

have you ever tried doing 0.1 * 0.2 in JavaScript, the answer is 0.020000000000000004

You mean just like in Excel?

JS is an excellent match for JS. Floating-point math? Check. Playing fast and loose with strings and numbers? Check. Massive additional attack surface on something that would often have been better served with simple static data? Check.

Re:No, not JavaScript!

[munch117]

"JS is an excellent match for Excel" is of course what I meant.

Re:No, not JavaScript!

[viperidaenz]

You've listed nothing relevant at all and also demonstrated that you don't know much about Excel.

Excel uses floating point too, just like JavaScript. The same basic type of floating point too, IEEE 754
https://support.microsoft.com/...

Excel doesn't have type safety in its cells either. Or in its current VBA language.

Microsoft isn't embedding a package manager in Excel

Again, Microsoft isn't embedding a package manager in Excel.

Excel used VBA because it's easy to pick up and use. You've listed a pro, not a con.

Re:No, not JavaScript!

[viperidaenz]

I wish I hadn't commented here so I could mod the parent post down.
null etc. doesn't even realise Excel ha always used floating point arithmetic internally, so it's a benefit that JavaScript also uses IEEE 754 floating point.

Re:No, not JavaScript!

[DavidHumus]

... doing 0.1 * 0.2 in JavaScript, the answer is 0.020000000000000004!

That's what happens in floating point arithmetic regardless of the language. Try it in Python.

Moron.

Keeping up with the Joneses

[ahziem]

For at least ten years, StarOffice, OpenOffice.org, LibreOffice, and derivatives supported JavaScript and Python in the Calc spreadsheet.

Speed

[Thelasko]

That's all fine. But all I really want is for it to be faster than molasses in January. It take forever to load, and forever to save. If I want bunch of fancy features, I would switch to a more powerful program.

Stop Press :]

[najajomo]

"Microsoft Adds Support For JavaScript Functions in Excel"

Please shoot me

[Opportunist]

But could you please do it before the first batch of Excel-based javascript-empowered cryptominer and other malware arrives in our company?

Who the FUCK thought it would be a great idea to marry the one file format every idiot opens when it arrives in his mailbox because that's what he does all day with the one scripting language that can the easiest be obfuscated to escape the current antivirus signatures?

So far I was willing to say that MS simply can't fight malware, but this makes me wonder whether they get a cut of the profits.

Re:Please shoot me

[dysmal]

It's very likely the same JS engine they use in Edge... so its as safe or unsafe as your network policy and idiot users are today.

A lot of organizations are fucked then.

When will they learn?

[zarmanto]

Microsoft has added various scripting languages to their Office products over the years... and each and every one has been abused by bad actors at some point, forcing Microsoft to cripple and/or remove the capability. What on earth could possibly make Microsoft think that adding JavaScript to Office documents will be any different? Particularly since it has already been abused in a myriad of ways within web browsers??

As the old saying goes, "The definition of insanity is doing the same thing over and over again, and expecting different results."

Re:When will they learn?

[khandom08]

As the old saying goes, "The definition of insanity is doing the same thing over and over again, and expecting different results."

I'll just leave this here https://www.psychologytoday.co...

Re:When will they learn?

[zarmanto]

That article serves no purpose in this context, unless for some reason you're attempting to deflect from or minimize the detrimental impacts of Microsoft's poor decision making in this situation. Certainly you could be pedantic and argue that Microsoft isn't technically exhibiting insanity so much as they are exhibiting "perseveration" behaviors... but that distinction offers no particular benefit to the discussion, and only serves to confuse people.

Sometimes "cute sayings" are quite adequately descriptive enough to illustrate the point.

Re:When will they learn?

[khandom08]

You know I actually agreed with what you were saying. The only qualm I had was with your use of that false definition. I would have probably said something along the lines of "Microsoft's insistence on doing the same things over and over again, and expecting different results clearly demonstrates their lack of vision" or similar.

Re:When will they learn?

[grep+-v+'.*'+*]

As the old saying goes, "The definition of insanity is doing the same thing over and over again, and expecting different results."

This is Microsoft WINDOWS we're talking about. Don't you re-install it every 6 months too, saying "This time is the very LAST time."

Re: When will they learn?

[zarmanto]

I do see your point â" but Iâ(TM)m a Mac user, so nope.

Re: When will they learn?

[zarmanto]

(Why does Slashdot always do that to the extended characterset?)

Re:Please, $DEITY, no

[mark-t]

I didn't suggest that this would make the system as a whole any safer, I said that JS, in this respect, is less likely to be successfully used as an attack vector than VB because the end user can vet javascript source code themselves if they are so inclined, and possibly spot any dangerous code, while VB has the option of being distributed as pre-compiled byte code.

But of course, if they are keeping VB (and I expect that they are), then obviously the system isn't any safer at all, because attacks can still be obscured from that angle anyways,

It was if a million IT professionals screamed

all at once.

VBA not "good" enough?

[sdinfoserv]

Does this mean VBA gets yanked? Is the roadmap to replace macros with Java? GAWD!
I am so tired of other java systems failing after an automated java update, now the CFO's spreadsheet fails... spectacular idea.

Re:VBA not "good" enough?

[omnichad]

Java != JavaScript. At all.

Re:VBA not "good" enough?

[guruevi]

Apparently nobody does. It's not JavaScript, it's ECMAScript.

Re:VBA not "good" enough?

[viperidaenz]

And you've just demonstrated your inability to function in IT, not knowing that JavaScript and Java are completely different.

Missed the important reason

[mrbester]

"Office developers have been wanting to write JavaScript custom functions for many reasons"

Mainly because they're assholes who will throw IT under the bus the second a routine they blithely copy-paste from some random site steals sensitive data.

Re:Ummm...so?

[Oswald+McWeany]

I can already manipulate any of Excel's data with C++, C#, VB.NET, VBScript, yes, JavaScript, and any other language that can handle scriptable COM objects. I wouldn't necessarily call this a game changer.

It's not a game changer to a programmer. It's potentially a game changer to some desk jockey in a low tech job that can copy and paste formulas from the internet and can follow it well enough to make a few simple changes.

Although... they have VBA for that already.

Vulnerabilities?

[ilsaloving]

Cause they didn't have enough gaping wide vulnerabilities with VBA?

Here's hoping they carried over all the lessons learned.

Thank you!

[darkain]

I'm in an organization that INSISTS on using Microsoft Excel as an administrative end for an entire ecommerce platform. They want to use it for all of their inventory management. The last major iteration, I finally said "FUCK THIS SHIT", and wrote a quick VBA script that simply copied the current sheet to a new document, saved as XLSX (for those unaware, this format is just a small collection of XML files ZIPed up, with a custom file extension), and then the VBA script uploads this new single-sheet document to an internal web application. Now instead of having to deploy the fuckall bullshit VBA scripts across the entire organization every time a new feature or bug fix is needed, the entire codebase is handled on a centralized server. Hopefully with Microsoft's current Azure focus, they can do something like this close to natively with their new JavaScript implementation. I'm not a fan of MS Office at all, in fact, I'm absolutely sick and tired of having to support it... but if they can at least make something easier, I'm all for it.

Clearly a Good Thing (TM)

[Dawn+Keyhotie]

This is clearly a Good Thing, and could never cause any kind of security concerns.

After all, the one thing I always wanted in my company's proprietary and highly confidential corporate budgeting spreadsheets was the ability to stream random data from the Internet.

Also, I have a bridge in Brooklyn to sell, the biggest and most amazing bridge ever. Call today!

I have an idea

[viperidaenz]

Remove custom functions, scripting and macros from Excel.

At the very least, it will stop people building business critical applications as a spread sheet.

On second thought, bring on the JavaScript functions. I make a lot of money replacing spread sheet applications with real ones.

Office Space

[TJHook3r]

At least this kludge will make it easier for office anarchists to skim a fraction of a penny off every transaction and deposit into a bank account... JS precision is so bad nobody would ever notice!

News flash from the future

[Zaiff+Urgulbunger]

News Flash From The Future
Financial melt-down due to developer pulling NPM packages for some arbitrary reason; economists inconsolable!

Gross...

[Karmashock]

Well, count down to viruses.

Not the Excelent Excel Object Model

[aberglas]

No, it does not use the Excel Object Model.

The Excel Object model is actually very good. Sensible and clean (ignoring recent horrors like the ribbon). COM is a mess, but the object model is excellent.

Moving to JavaScript does not merely men replacing End If with {}. The JavaScript model runs in a client server style, with futures etc. Much, much more complex. That is the essence of the change, Not the actual language.

10 lines of VBA becomes 100 lines of the new Java API. And is impossible for non-programmers to write. And that is what VBA supports, non programmers.

In VBA you can even record a macro, see the object handling, and then tidy it up afterwards. Excellent.

What actual users of Excel want is the VBA to be properly supported. It was abandoned for .Net, which was unusable by non programmers and very difficult to deploy. And now the fashion is Javascript. But since when to developers listen to uses? Wot's hot and wot's not. That is what counts.

All Good, except for this other thing

[Provocateur]

Perish the thought, unless you want to end up in Federal pound-me-in the-ass prison!

No news is bad news

[bursch-X]

So they went with this, at least Excel will be more in the news in the near future. They should also throw in jQuery and React, for good measure. If youâ(TM)re supporting JS go all the way!

At least update the broze-age era IDE already!

[LostMonk]

While they're at it, will they at least update that broze-age era IDE that lurks inside MS Office like a horror in a dark cellar?