Microsoft Adds Support For JavaScript Functions in Excel (bleepingcomputer.com) 171
An anonymous reader shares a report: At the Build 2018 developer conference that's taking place these days in Seattle, USA, Microsoft announced support for custom JavaScript functions in Excel. What this means is that Excel users will be able to use JavaScript code to create a custom Excel formula that will appear in Excel's default formula database. Users will then be able to insert and call these formulas from within Excel spreadsheets, but have a JavaScript interpreter compute the spreadsheet data instead of Excel's native engine. "Office developers have been wanting to write JavaScript custom functions for many reasons," Microsoft says, "such as: (1) Calculate math operations, like whether a number is prime. (2) Bring information from the web, like a bank account balance. (3) Stream live data, like a stock price."
What could possibly go wrong? (Score:5, Funny)
....
Re:What could possibly go wrong? (Score:5, Insightful)
The worst?
With the tight security model Microsoft (and intel) always holds, combined with the track record of Javascript, they sky is the limit!
Re: (Score:2)
Re: (Score:3, Funny)
Re:What could possibly go wrong? (Score:5, Insightful)
While Dante's inferno depicts several circles of Hell with the Devil in the center/bottom circle stuck in the floor being tortured for eternity - that's really not even the limit, there's another less well-known circle of Hell smack in the center: the Devil's colon. That is where this will go. That said, it's better than VBA.
It's barely better than VBA. JavaScript is (in the 21st Century) the equivalent of VBA in the 90's. Quick, crude, and unstructured; it's the "rabble" of languages.
Re: (Score:2)
Not only that, but it's still going to have to use the existing Office App data model which is half of why VBA is such a clusterfuck in the first place. Which is to say a bunch of bizarre COM bindings and related retardation.
Not the Excelent Excel Object Model (Score:4, Interesting)
No, it does not use the Excel Object Model.
The Excel Object model is actually very good. Sensible and clean (ignoring recent horrors like the ribbon). COM is a mess, but the object model is excellent.
Moving to JavaScript does not merely men replacing End If with {}. The JavaScript model runs in a client server style, with futures etc. Much, much more complex. That is the essence of the change, Not the actual language.
10 lines of VBA becomes 100 lines of the new Java API. And is impossible for non-programmers to write. And that is what VBA supports, non programmers.
In VBA you can even record a macro, see the object handling, and then tidy it up afterwards. Excellent.
What actual users of Excel want is the VBA to be properly supported. It was abandoned for .Net, which was unusable by non programmers and very difficult to deploy. And now the fashion is Javascript. But since when to developers listen to uses? Wot's hot and wot's not. That is what counts.
Re: (Score:2)
Re: (Score:3)
VBA is actually an excellent language, better than JavaScript. The main advantage is that it includes static typing which is a killer feature for larger programs. VBA has classes and properties and dynamic typing, only thing missing is closures which are rather esoteric. There are a few historical quirks in both languages.
End If is actually better than {}s, because the compiler can detect errors -- the {} approach was introduced in Algol 60, replaced with End If (actually Fi) in Algol 68 (1968). Most l
Re: What could possibly go wrong? (Score:1)
Spectre will make this easy to scrape credentials and whatnot from memory.
Goes like this
1. Ransomware infected document makes its rounds in email.
2. Files encrypted, and credentials uploaded to the Internet.
3. Machines and Domain Controllers 0w3ned! Backups purged to prevent recovery.
4. The compromised organization folds, people lose their job.
5. Parents without income, children go hungry.
Re: (Score:2)
You forget, marketing is in charge of development. For every security bug patched, Microsoft marketing introduces new and exciting security holes to improve the user experience.
Re: (Score:2)
Re: (Score:1)
Sooooo, this is how SkyNet begins...
Re: (Score:2)
I'm listening... (Score:4, Interesting)
This could be good, if they handle errors well. If they use the same default "fail silently" practice as they do with VBA functions, then it will be just as dangerous as those are.
Re: (Score:1)
Yes (Score:5, Funny)
Re:Yes (Score:5, Insightful)
Which is at least an Open Standard Programming language. Which works on different OS's and hardware architecture. And designed to run relatively safely on your PC.
VB is a hold over the Bad Old days of Microsoft. Where to get the feature you needed the entire ecosystem. Even the long time Office for the Mac, didn't didn't support VBscript (or at least not completely)
The biggest issue I have, is people using Excel and Access as their programming environment, to try to bypass us egotistical developers and get a program running fast. Only to have it break a year down the line and get those egotistical developers digging in poorly written and designed system to make heads or tail on what went wrong.
Re: (Score:2)
Re:Yes (Score:5, Funny)
By turning it off.
Re: (Score:2)
Being that JavaScript has been running on browsers for close to 20 years. While not 100% secure. It is designed to not to interact with your actual PC, just in the container it is designed to run it (the browser) we have been safe from a lot of the nonsense that Microsoft has exposed us to in the past, with VB Script and Active X controls.
The vulnerabilities in Javascript have been quickly fixed and isn't a flaw in the language but in the interpreter. While the Microsoft languages, where designed in era w
Re: (Score:2)
Re: Yes (Score:2)
Feel free to post a link to the source
Re: Yes (Score:4, Insightful)
What does this have to do with a browser? This is Excel. I can write a JS program that will erase your hard drive if I am running it in a shell.
Feel free to post a link to the source
var fso = new ActiveXObject( "Scripting.FileSystemObject" );
fso.deleteFolder( "C:\\", true );
Re: (Score:2)
pwnt
Re: Yes (Score:2)
So that isn't available in VBA already? What makes that more of a security hole in JS?
Re: (Score:2)
So that isn't available in VBA already? What makes that more of a security hole in JS?
It's not a security hole in JS per se, and of course you can do exactly the same thing in VBA. But the statement was "This is Excel. I can write a JS program that will erase your hard drive if I am running it in a shell.", and you invited someone to post source backing that up, which I did.
The point, and I think we agree on this, is that no language, be it VB, JS, perl, or python, is inherently dangerous. It's all about the context in which they are run and the APIs they have access to. JS in the browser
Re: Yes (Score:2)
Yeah I should think before I post really :)
Re: Yes (Score:2)
I've been here a lot longer than you now fuck off.
Re: Yes (Score:2)
I'm salty because some bellend told me I don't belong here.
Re:Yes (Score:5, Interesting)
There is a huge group of computer-using professionals that live and breathe Excel.
They are not programmers. But they do have script-kiddie level of competence, which they use for making Excel formulas and macros.
These people are in love with Excel, and when they submit requirements for actual software development, they adamantly insist that the software accept Excel documents as input, and that everything the program does be controlled by Excel.
This creates terrible inefficiency, gobbles up memory, slows the system down, injects an endless stream of bugs and support issues, and lets utterly unqualified people inject code into complex systems with little-to-no insight as to what-all is going to break because of it. But if you try to convince them to allow you to implement some of that logic in a proper coding language, they flatly refuse.
So, of all the programming languages that are common in the industry, which one is most likely to be one that this class of user has encountered, tampered with, and prefers?
Of course javascript. One of the Internet's oldest mistakes, and one of the worlds most sloppy and dangerous tools, will be put into the hands of non-programmer power-users to use right in the center of complex mission-critical systems that directly impact things like....oh I dunno....large sums of money moving around.
The world is run by the wrong people.
Re: (Score:1)
Fire these idiots and replace them with people who have a brain.
I consider this fixed and close the ticket with your permission.
Re: (Score:2)
I didn't ask for permission. I assumed it, and if you happen to disagree, just drop me a note (that will curiously be eaten by the mail server).
Re: (Score:3)
You have had too much of that white powder - those are not computer professionals - they are either zombies or aliens.
Re: (Score:2)
There is a huge group of computer-using professionals that live and breathe Excel.
You have had too much of that white powder - those are not computer professionals - they are either zombies or aliens.
Worse. They're MBAs.
Re: (Score:2)
Re: (Score:2)
These people are in love with Excel, and when they submit requirements for actual software development, they adamantly insist that the software accept Excel documents as input, and that everything the program does be controlled by Excel.
This creates terrible inefficiency, gobbles up memory, slows the system down, injects an endless stream of bugs and support issues, and lets utterly unqualified people inject code into complex systems with little-to-no insight as to what-all is going to break because of it. But if you try to convince them to allow you to implement some of that logic in a proper coding language, they flatly refuse.
Lo, I was beset by such ills, and I went to the mountaintop. Upon the mountaintop was a burning bush, and in a booming voice it spoke:
C S V
So it is written. So let it be done.
(Seriously, tell your Excel jockies the input format is CSV, or TSV, or whatever. As a bridge between Excel and real code, it's a gift from God. They can play to their hearts' content in Excel, but they have to give you plain data, and accept plain data from you.)
Re: (Score:2)
Everything you just described is fundamental to receiving data from non-programmers. Excel isn't causing that problem, it's users are - and they'd be causing it regardless. But, hey, normalize your inputs and get on with life.
Re: (Score:2)
"Your document is taking too long to load. Do you wish to cancel running the scripts or continue to wait?"
This will be used for mining (Score:5, Insightful)
JavaScript/Excel Type handling & Secutiry? (Score:2)
Personally, I think this capability could be extremely useful and should be pursued.
But, my first thought was to type handling - both environments largely handle data typing automagically and I would like to see how incompatible types are recognized and handled. I would worry about JavaScript's tendency to ignore failures and carry on as best it can without notifying the user as being a significant concern. For this reason, I would consider Python to be a better choice.
I wish in the TFA, when they referen
Re: (Score:1)
I'm pretty excited because it seems like it will make it quite easy to use regex to filter.
Currently, I have to either use google sheets, or contort something that abuses functions to get some filters done.
Re: (Score:2)
Regex is already available in Excel through a reference to "Microsoft VBScript Regular Expressions 5.5".
This is very very welcome...but... (Score:4, Informative)
Folks, I will have to say that this development is very welcome though what really saddens me is this: -
There's no Open Source Excel alternative that comes even close to what Excel can do.
To make matters worse, there's no [serious] effort to create anything capable.
Re:This is very very welcome...but... (Score:5, Informative)
Re: (Score:2, Insightful)
Running existing Excel macros, Power Pivot, lots of chart types, external data sources, multithreading.
Comment removed (Score:4, Insightful)
Re: This is very very welcome...but... (Score:3)
What should you be using instead?
Re: (Score:2)
If your "data scientist" is using Excel, fire him, immediately.
I think that's a bit harsh. I've got a friend that, that is their job and it wasn't until a lot of crying and begging did they approve Python and R for install on the laptops. You've got to remember that sometimes you just have to work with the tools that upper management will allow.
I'm not suggesting that, that justifies anything, just that sometimes it's hard to get non-data folks to agree to thing, even free things.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The main one for me is tables. In LibreOffice Calc, I can give a range a name, and I can add an AutoFilter, and I can create my own total row, and I'm sure I can put together some kind of nice style for the table of data, with alternating row colors. In Excel, it's a one-click action. From there, I can also easily add a formula to a cell, and have to copy down to all rows. Each row has its own name, making formulas referring to cells within the table easier to read.
There have been other Excel niceties m
Re: (Score:2)
You want to see twitter feeds from Bloomberg and Reuters in your spreadsheet?
I'm pretty sure that's possible in LibreOffice. I've seen similar screen scraping macros. Of course, it's still probably the wrong tool for the job. :-(
Comment removed (Score:5, Informative)
Re: (Score:2)
There is one where people who booked Tesla Model 3 are entering data to predict info Tesla is not revealing, VIN, production rates, etc etc. 5000 people collaborative editing. Pictures, charts, rolling 21 day averages, historic charts predicting wait times for each color + wheel combination, and what not..
There is one used by Indian/Chinese H1B applicants tracking the reports of who got what when. I have not seen it, but it supposed to be ove
No, not JavaScript! (Score:5, Interesting)
Good God, of all languages, why JavaScript? JavaScript is a terrible programming language! And its floating point math is bonkers, have you ever tried doing 0.1 * 0.2 in JavaScript, the answer is 0.020000000000000004! Can you imagine how main spreadsheet errors this will cause?
And JavaScript doesn't even have type safety! If Microsoft were smart, they would use a compiled programming language, like C, that you'd have to compile using a command-line compiler with a GPG-Key that you could inspect to avoid government MITM attacks! Now the government can get your tax spreadsheet information!
And, JavaScript is terrible because a lot of popular JavaScript frameworks have their own package managers! Can you imagine developers BLINDLY TRUSTING whatever package and whatever dependencies it has? Every developer should be forced to only use the OS package manager to install JavaScript libraries!
And, JavaScript is terrible because hundreds of programmers release hundreds of new packages every day, and they grow old and stale and now the JavaScript package ecosystem is older and staler and more crowded than the iOS app store ecosystem!
And, JavaScript is terrible because anyone can just pick it up and start playing with it, and they can write a web server in 15 minutes without even knowing about tail recursion or Monte Carlo cyclomatic complexity reduction! Script kiddies will start taking our jobs, and they don't even have to know how to covert an AST optimization into a stack heap implementation!
I hope that Microsoft realizes the error of their ways, and instead implement something like LISP as the programming language.
Re: (Score:2)
Re: (Score:3)
FTFY
Re: (Score:3)
Javascript, by itself, is about on par with safety as any other scripting language such as scheme or Lua. Any lack of safety lies entirely in what underlying operating system frameworks are exposed to the api of the script language by the language embedder. By default, there is nothing that stands out to my knowledge in the javascript core library that would be considered unsafe.
That said, I won't argue that there are a few characteristics of javascript that might make it undesirable as a programming
Re: (Score:2)
That's called floating point arithmetic. It has nothing to do with the language.
Re:No, not JavaScript! (Score:5, Informative)
have you ever tried doing 0.1 * 0.2 in JavaScript, the answer is 0.020000000000000004! Can you imagine how main spreadsheet errors this will cause?
You appear to be ignorant of the way floating point numbers work. This is not a feature of JavaScript, but of the CPU in your computer. Try entering "=0.1*0.2" in an Excel cell and then turn up the format to 20 digits of precision. I'm not saying that JavaScript is good, but using this as your first example of how bad it is doesn't help your credibility.
Re: (Score:2)
You mean just like in Excel?
JS is an excellent match for JS. Floating-point math? Check. Playing fast and loose with strings and numbers? Check. Massive additional attack surface on something that would often have been better served with simple static data? Check.
Re: (Score:2)
Re: (Score:2)
You've listed nothing relevant at all and also demonstrated that you don't know much about Excel.
Excel uses floating point too, just like JavaScript. The same basic type of floating point too, IEEE 754
https://support.microsoft.com/... [microsoft.com]
Excel doesn't have type safety in its cells either. Or in its current VBA language.
Microsoft isn't embedding a package manager in Excel
Again, Microsoft isn't embedding a package manager in Excel.
Excel used VBA because it's easy to pick up and use. You've listed a pro, not a con
Re: (Score:2)
... doing 0.1 * 0.2 in JavaScript, the answer is 0.020000000000000004!
That's what happens in floating point arithmetic regardless of the language. Try it in Python.
Moron.
Re: (Score:2)
I'll sell you some. I heard Slashdot Mod Points are going for $3 a point.
Re: (Score:2)
I wish I hadn't commented here so I could mod the parent post down.
null etc. doesn't even realise Excel ha always used floating point arithmetic internally, so it's a benefit that JavaScript also uses IEEE 754 floating point.
Keeping up with the Joneses (Score:3)
Speed (Score:2)
Stop Press :] (Score:2)
Please shoot me (Score:4, Insightful)
But could you please do it before the first batch of Excel-based javascript-empowered cryptominer and other malware arrives in our company?
Who the FUCK thought it would be a great idea to marry the one file format every idiot opens when it arrives in his mailbox because that's what he does all day with the one scripting language that can the easiest be obfuscated to escape the current antivirus signatures?
So far I was willing to say that MS simply can't fight malware, but this makes me wonder whether they get a cut of the profits.
Re: (Score:2)
It's very likely the same JS engine they use in Edge... so its as safe or unsafe as your network policy and idiot users are today.
A lot of organizations are fucked then.
When will they learn? (Score:5, Interesting)
Microsoft has added various scripting languages to their Office products over the years... and each and every one has been abused by bad actors at some point, forcing Microsoft to cripple and/or remove the capability. What on earth could possibly make Microsoft think that adding JavaScript to Office documents will be any different? Particularly since it has already been abused in a myriad of ways within web browsers??
As the old saying goes, "The definition of insanity is doing the same thing over and over again, and expecting different results."
Re: (Score:1)
As the old saying goes, "The definition of insanity is doing the same thing over and over again, and expecting different results."
I'll just leave this here https://www.psychologytoday.co... [psychologytoday.com]
Re: (Score:2)
That article serves no purpose in this context, unless for some reason you're attempting to deflect from or minimize the detrimental impacts of Microsoft's poor decision making in this situation. Certainly you could be pedantic and argue that Microsoft isn't technically exhibiting insanity so much as they are exhibiting "perseveration" behaviors... but that distinction offers no particular benefit to the discussion, and only serves to confuse people.
Sometimes "cute sayings" are quite adequately descriptive
Re: (Score:2)
As the old saying goes, "The definition of insanity is doing the same thing over and over again, and expecting different results."
This is Microsoft WINDOWS we're talking about. Don't you re-install it every 6 months too, saying "This time is the very LAST time."
Re: When will they learn? (Score:2)
Re: When will they learn? (Score:2)
It was if a million IT professionals screamed (Score:1)
all at once.
VBA not "good" enough? (Score:2)
I am so tired of other java systems failing after an automated java update, now the CFO's spreadsheet fails... spectacular idea.
Re: (Score:2)
Java != JavaScript. At all.
Re: (Score:2)
And you've just demonstrated your inability to function in IT, not knowing that JavaScript and Java are completely different.
Re: (Score:2)
Vulnerabilities? (Score:2)
Cause they didn't have enough gaping wide vulnerabilities with VBA?
Here's hoping they carried over all the lessons learned.
Thank you! (Score:2)
I'm in an organization that INSISTS on using Microsoft Excel as an administrative end for an entire ecommerce platform. They want to use it for all of their inventory management. The last major iteration, I finally said "FUCK THIS SHIT", and wrote a quick VBA script that simply copied the current sheet to a new document, saved as XLSX (for those unaware, this format is just a small collection of XML files ZIPed up, with a custom file extension), and then the VBA script uploads this new single-sheet document
Clearly a Good Thing (TM) (Score:2)
This is clearly a Good Thing, and could never cause any kind of security concerns.
After all, the one thing I always wanted in my company's proprietary and highly confidential corporate budgeting spreadsheets was the ability to stream random data from the Internet.
Also, I have a bridge in Brooklyn to sell, the biggest and most amazing bridge ever. Call today!
I have an idea (Score:2)
Remove custom functions, scripting and macros from Excel.
At the very least, it will stop people building business critical applications as a spread sheet.
On second thought, bring on the JavaScript functions. I make a lot of money replacing spread sheet applications with real ones.
News flash from the future (Score:2)
Financial melt-down due to developer pulling NPM packages for some arbitrary reason; economists inconsolable!
Gross... (Score:2)
Well, count down to viruses.
No news is bad news (Score:2)
At least update the broze-age era IDE already! (Score:2)
While they're at it, will they at least update that broze-age era IDE that lurks inside MS Office like a horror in a dark cellar?
Re: (Score:2)
It's my understanding that VB macros do not require source code to be distributed if it has already been compiled into byte code.
Presumably, one can vet the source code themselves if they are wary of third party code.
Theoretically, at least, javascript has a potential of being safer than VB in this regard.
Re: (Score:2)
I didn't suggest that this would make the system as a whole any safer, I said that JS, in this respect, is less likely to be successfully used as an attack vector than VB because the end user can vet javascript source code themselves if they are so inclined, and possibly spot any dangerous code, while VB has the option of being distributed as pre-compiled byte code.
But of course, if they are keeping VB (and I expect that they are), then obviously the system isn't any safer at all, because attacks can sti
Re: (Score:1)
Re: (Score:3)
I can already manipulate any of Excel's data with C++, C#, VB.NET, VBScript, yes, JavaScript, and any other language that can handle scriptable COM objects. I wouldn't necessarily call this a game changer.
It's not a game changer to a programmer. It's potentially a game changer to some desk jockey in a low tech job that can copy and paste formulas from the internet and can follow it well enough to make a few simple changes.
Although... they have VBA for that already.
All Good, except for this other thing (Score:2)
Perish the thought, unless you want to end up in Federal pound-me-in the-ass prison!