Well the first answer to can javascript be added is yes, javascript could easily be shown on Steemit. I see many different reasons why that would be positive if it was. The big problem is security, if javascript were allowed, it could modify the Steemit webpage itself and create huge security issues. We are talking on the level of sending your password to somewhere else kind of security risk.
The Benefits
If javascript was allowed on Steemit this would allow things like games and interactive posts, something I'm sure a lot of people could find creative and interesting ways to use. It simply adds more types of content that can be added to Steemit, making it a more diverse place.
The Risks
As stated above, the full javascript API poses serious security risks as it is meant to be the only program running on a webpage, not necessarily put directly into a post. Javascript can directly read, and modify a webpage, as well as send POST messages and SQL requests to a server. It is very powerful for websites, and secure for the end user if written properly. So why can't this be fixed? Well at the moment, as far as I know, javascript has no built in element protection. In other words, any script that is run has access to all elements in the page, there are no restrictions you can put on it. This brings me to my next point, some solutions.
Some Solutions
These are just some ideas I came up with but I'm sure there are several other ways it could be done. I'm also not sure if the ideas I put forth here are 100% foolproof, they are just thoughts, and fully up for discussion and criticism. After all I am not a web developement specialist.
Javascript Protection Protocols
In my opinion this would be the best option but also the hardest to get through. The basic idea would be for javascript and browsers to change their specification so that security limits could be put in the actual interpreter itself. The reason this is so hard to change, is Steemit has no control over how javascript or browsers will act and therefore can't do anything about this.
Limited Script
The basic idea here is for the Steemit editor to parse through the javascript and make sure it doesn't use any forbidden commands or modify any forbidden elements. This would then give Steemit a modicum of control over what the users javascript can do. The program would have to limit the javascript to being local, with none imported from offsite so Steemit has full control over what is in the javascript. This is one of the hardest options as it requires a javacript parser and error checker built into Steemit.
Custom Script
Much like the limited script idea, custom script would be a script created by Steemit for the purpose of dynamic posts. In this way Steemit has direct control over exactly what this scripting language is even capable of doing. Steemit would then parse through the script server side and rewrite it as javascript. This effectively limits what the script can do while still allowing the end product to be javascript. This is probably the most secure option and is not impossible to implement from a programming standpoint, however; it would put more stress on a server and require a new scripting language to be learned.
In Conclusion
Overall I think it would be really cool to have some sort of scripting interface for posts on Steemit. That being said, I don't think this will be implemented any time soon for the reasons stated above, but it would be something to keep in mind. Also if there is something like this for Steemit already, please let me know because I would love to use it.
Images from (respectively):
http://frutbunn.com/index.php/2015/08/20/javascript-code-to-show-an-eu-cookie-policy-banner/
https://insights.ubuntu.com/2017/03/20/three-flaws-at-the-heart-of-iot-security/
I was looking for a way to add graphs with javascript and came upon your post.
It is a conundrum for sure. Much of the javascript I want is based on plugins that need their source embedded, too. I wish Steemit could at least add common jQuery/javascript plugins to interact with that make sense. Graphs, games, etc.
I think your #2 limited javascript proposal is the most ideal. They could blacklist cross-site calls and any other functions that are commonly exploited, such as document.cookie. They don't have to mess with an interpreter. They would effectively write escaping/sanitizing logic when you do a POST.
I'm starting to realize javascript security is a cluster and you can introduce a lot of entry points for hackers that you didn't foresee until they got you by the balls.
yeah it would be sweet to do d3 on steemit or some kind of live graph...
right now it looks like they just scrub out anything between a script tag
but is that steemit.com doing that? like if you posted something via the api with javascript would you see it?
Yes, that is what escaping does. There's server side code that cleans it so that it won't be interpreted as code on the client side
Thank you for the article!