From 9b2d2e9c077408cd7facdebedb55570b7bd2d1b5 Mon Sep 17 00:00:00 2001 From: Dequis Date: Wed, 24 Jun 2009 16:36:03 -0300 Subject: Added documentation for javascript features --- README | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) (limited to 'README') diff --git a/README b/README index 801ee34..478b0e4 100644 --- a/README +++ b/README @@ -161,6 +161,38 @@ The following commands are recognized: - remember to quote the commands; one command must come as one parameter - if you use `chain` with a handler script which must return some output (such as a cookie handler -- uzbl will wait for and use its output), use sync_spawn or sync_sh instead of spawn or sh in the command that should give the output +### JAVASCRIPT HELPER OBJECT + +Javascript code run from uzbl is given a special object in the global namespace which gives special privileges to these scripts. This object is called `Uzbl`, and it is added and removed before and after the script execution so that it is hidden to web javascripts. + +Currently, the `Uzbl` object provides only one function: + +* `Uzbl.run( )` + - command is any uzbl command as defined above + - return value: a string, either empty or containing the output of the command. Very few commands return their output currently, including js, script, and print. + - Examples: + * `Uzbl.run("spawn insert_bookmark.sh")` + * `uri = Uzbl.run("print @uri")` (see variable expansion below) + +### JAVASCRIPT SECURITY + +Since defined variables and functions are set in the global namespace (`window` object) as default, it is recommended to wrap your scripts like this: + + (function(Uzbl) { + ... + })(Uzbl); + +This way, everything is kept private. It also turns Uzbl into a local variable, which can be accessed from callback functions defined inside. However for some situations, isolating everything isn't an option, for example, with binds. You can define them directly in the script body, and use `var Uzbl = window.Uzbl;` to make the Uzbl variable local, as in the following example: + + function f() { + var Uzbl = window.Uzbl; + Uzbl.run(...); + setTimeout(function() { + Uzbl.run(...); + }, 500); + } + +Copying the Uzbl object and creating public functions should be taken with care to avoid creating security holes. Keep in mind that the "f" function above would be defined in the `window` object, and as such any javascript in the current page can call it. ### VARIABLE EXPANSION AND COMMAND/JAVA SCRIPT SUBSTITUTION @@ -258,7 +290,7 @@ The script specific arguments are this: * cookie handler $8 GET/PUT - $9 request address host (if current page url is www.foo.com/somepage, this could be something else then foo, eg advertising from another host) + $9 request address host (if current page url is www.foo.com/somepage, this could be something else than foo, eg advertising from another host) $10 request address path $11 cookie (only with PUT requests) -- cgit v1.2.3