I don't think any JS code can be worse than old PHP code. I've had to deal with legacy software written with PHP4. I was to port it to PHP7 since it was not compatible with PHP5.4+. The code used "register globals", meaning that variables were created on the fly from the parameters in the URL, the POST form data, and the cookies.

Requesting `index.php?something=X` implied `$something = "X";` in the global scope at the beginning of "index.php". And since the global scope was not limited to a file, tracing a variable through files and side effects was a nightmare. Even understanding the code intent was often hard!

Before PHP7, there were many elements of the language that were meant to simplify its usage, but had awful consequences in many cases. Even more because it bent the PHP community toward a quick and dirty process. "Magic quotes", the automatic escaping was one of those abominations. For any request input (e.g. POST form data), it added backslashes before single quotes. It was meant to protect data automatically in case it was inserted into a SQL request... It granted no security gain in this context, and was a mess for any other use.