[Greasemonkey] Clever Alternative to unsafeWindow
Lenny Domnitser
ldrhcp at gmail.com
Fri Dec 2 16:17:43 EST 2005
Jesse Ruderman writes
<http://www.squarefree.com/2005/12/01/updated-greasemonkey-scripts/>:
> My version of the script works by setting location.href to a "javascript:"
> URL when it wants to call in-page functions.
This is a really clever way to access in-page functions on untrusted pages.
If you have to get a value out of a page script, a simple object like
an integer can be accessed by adding an iframe with
src="javascript:someFunction()" and pulling the value out of the DOM
with something like parseInt(myFrame.contentDocument.body.innerHTML).
Of course this should only be used with strings or with something you
can parse, like integers. That is, don't use uneval/eval, as this
makes the strategy no better than using unsafeWindow.
More information about the Greasemonkey
mailing list