Oh shit.
Excel adds JavaScript support.
https://www.reddit.com/r/programming/comments/8hubri/excel_adds_javascript_support/
As if macro viruses weren't enough now we can worry about spreadsheets having crypto-mining malware.
This is not the future I signed up for.
I read that Reddit post until it degenerated into a 'WeHateVBA' thread... Which wasn't very far in.
Microsoft will be running the JS through their own 'Chakra' engine and they will make *some* attempt at sandboxing and lockdown.
Plus the 'no macros and scripts' option they've had - and needed to do better - for decades with VBA and the *native* vbscript support in Excel since 2003.
So there's nothing new here, except the sheer volume of JS malware out there.
The major problem is the same old problem: everything in Excel is done by non-programmers and its made too easy for them - even easier than PHP - to write terrible code that looks as if it's working.
Now add 'Security-Oblivious and they're using js' to the brew.
Some things in Excel are done by experienced developers, using VBA as the 'visual shell' language to deliver functionality running in C#, C++, Java, Python. That works very well but...
You can call *anything* in Excel.
So the short version is: this isn't new.
VBA and VB and VBScript exist because Microsoft wanted everyone to be able to code, and Excel exists as an easy UI for them to import functionality from anything, anywhere, any way they want.
Making it even easier to do that with JS isn't new.
It all boils down to the quality of the Chakra JS engine's sandbox, and Microsoft's willingness to police the scripts that they allow to run.
...Which is to say: I share your pessimism.
