Seems to me that all this is used for in javascript is to bypass filters when executing xss attacks. Im sure there are legitimate reasons for having it, but it seems to me that it does more harm than good. Anyway, just a thought, was curious what you guys think.
Yup, imo this has no legitimate uses unless you need a really weird character that it has access to and for some reason you can't just copy-paste it. But even that's a little obscure.
Its actually quite useful when doing automated string manipulation, e.g. writing a caeser or vignere or similar cipher would be next to impossible (its doable because you can create your own version of the function by creating an array which acted like a lookup table).
But quite seriously; I don't think that removing functionality from one language is a very good way to stop vulnerabilities in applications written in other languages.
And even if we remove it there are still things like this: http://ha.ckers.org/xss.html#XSS_no_single_double_quotes_semicolon
And even if you remove both of those; if you can inject js. you can almost certainly inject a form, with an attribute which has js in it, and then all you need to do is eval(document.forms[3].attribute_name) and you're executing js, and we can't destropy that since it will break a lot of old apps.
Very good point kuza. What if you want to manipulate chars as their ascii codes? I made a few functions to do this because I never knew about this function in the past lol. >:O
