Multiple upvars

I changed it.

(unless @sarpnt has a brilliant alternative :wink: ).

if you want my let block to be a C shape, make it a C block and add the variables to that function instead of the continuation. if you don't care about how it looks, you can make it very simply out of existing blocks by using RUN and creating parameters for the ring.
note that your current LET C block doesn't actually get rid of the variable at the end of the C, this means it has issues for two variables of the same name.

far better than any LET-block: couldn’t the SCRIPT VARIABLES block be extended so as to support variable initialization

this just sounds like you're still describing exactly what a LET block does. i really hope that image isn't what you would actually expect it to look like, it would literally require making an entire text version of snap just to initialize variables (try initializing a complex ring) and would block all sorts of variable names.

and possibly: declaring constants

snap already has constants, they're reporter blocks. i guess there's no nice way to make local constants (there's CREATE BLOCK, but you need to remember to delete the block, and you can't just drag the block out, so you need to fiddle around to get the block while editing, or use the upvar, which ruins the point)
i don't think local constants are that important, and it would likely be confusing in all sorts of ways.

No.JS isnt that powerful

"powerful" is way too vague, it doesn't really explain your answer. what stops a script from hijacking the existing project save/load code? snap is coded in js.

it cant corrupt ffiles

if snap can save projects, and snap is js, why can't js corrupt files?

WAIT WHAT ITS NODEJS
Oh....
@jens if you make offline snap pls dont node.js

no? nodejs is a program that runs js. js is a programming language. snap doesn't run in nodejs, it runs in the browser.

Yeah so it cannot download stuff without permission

people give permission to snap when they load and save projects. a project could use js to change what the load/save buttons do, then when the user later tries to load/save a project, it puts a different file instead.

and you can refresh to cancel the effect
js is safe if you guys don't be dumb and give passwords and permission

refreshing doesn't unsave a file

i could also just stop explaining how it would work and just hold your projects for ransom

yes, but people wouldn't do that. i've explained why already. people would run the malicious project, it changes what the save project button does, and later if they try to save a project for whatever reason, it would save something else, possibly replacing a project on the hard drive if the user selected that.

filesaving windows don't save if you press the deny button

Guys, just read the entire reason js was turned off by default

Javascript can be dangerous, even if you're trying to avoid it. If you want to avoid malicious websites, just turn off javascript. This is basically what the snap team did, only just for the javascript function block because obviously snap requires javascript to run.

It's not.But Java is.
If you don't give it your password,its not dangerous

Note discussing ways of using JavaScript for malicious use is not considered good forum behaviour.

If you find an attack vector, do not talk about it here.

Don't speculate in public

Instead, email the team with any proof that you have about an attack vector.

:slight_smile:

You can talk about malicious js now----the bug isn't here untill next release!
But other bugs should not be released to public unless it is fixed

closing this thread as it has degenerated from the original question into - yet another - frenzy about boasting speculative JavaScript fantasies.