Alert can still lock browsers - why?

This post is more than 2 years old.

I remember back in the old days (Netscape was king!) when learning JavaScript that it was pretty easy to lock up the browser with the Alert statement. All you had to do was create an infinite loop of JavaScript alerts and then the browser was essentially locked up.

So while this typically only happens to poor developers who do it to themselves (as I did a few days ago), why haven't the browser makers done anything about this? Is it really something that only affects us doing development? While I'm not quite sure what the UI would be - it seems like something that could be solved. Perhaps the browser could simply keep an internal counter of the number of alerts fired. Once it hits 30, simply put a prompt on the alert asking if the user would like to suppress all future alerts.

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Kyle Hayes posted on 1/7/2007 at 11:27 PM

You know what is interesting about this, is that browsers already do have the functionality to allow you to abort long running JavaScript or Flash operations. It detects infinite loops and allows you to stop the script. I have a feeling, however, that the Alert issue is not caught in this because it contains visual feedback to the user. The only time I have seen the former occur is when the script was looping and no visual feedback to this loop was provided.

Comment 2 by John Dowdell posted on 1/8/2007 at 4:44 AM

True. And yet we don't see exploits. "Any site can crash your browser!" seems like it would make a good security headline on a slow news day...?

Comment 3 by Brian posted on 1/8/2007 at 6:48 AM

Opera has a toggle on Javascript alerts for "Stop scripts for executing on this page" (or something to that effect.)

Comment 4 by Raymond Camden posted on 1/8/2007 at 8:32 AM

Brian, nice to know _someone_ got it right (although I've never tried Opera myself.)

Comment 5 by Raymond Camden posted on 1/8/2007 at 8:34 AM

John, I'm not quite sure this would be a security issue per se. I mean, it can lock you out of your browser and force you to shut it down but it can't really (afaik) steal any information from you.

Comment 6 by PaulC posted on 1/8/2007 at 7:48 PM

Is there a more graceful way to handle alerts then, that doesn't prevent you from interacting with the browser until you confirm?

Maybe it pops open a toolbar at the top of the page along the lines of IE's "blocked content" message and Firefox's "install plug-in"...just more noticeable.

You could then have optional "traditional" alerts for times when you want to prevent the user from accessing the browser until they confirm. Such as: alert("message","strict") or alert("message","soft")

Comment 7 by David L. Burkhart posted on 2/15/2008 at 1:49 AM

Or, how about simply putting to use the good old "break" key? After all, what is it there for anymore?

There has got to be some sort of shortcut way to cancel a script from within a series of alert messages.

Comment 8 by Arnauld Chevallier posted on 11/18/2008 at 10:25 PM

This is an old thread and new solutions may have been implemented -- though I haven't heard of any. But anyway, I just wanted to share the following trick that I'm using to get rid of a perpetual alert() on FireFox:

just press and hold Ctrl+F4 on the keyboard, then use the mouse to click the "OK" button of the modal box. A last alert() may be fired, but the current tab should be closed.

(Note that it was only tested on FireFox 3.)