Sun. August 11, 2013 @ 1:38 pm

Sublime Text 3’s “find under” and “Whole Word” searching

When searching for highlighted text, Sublime Text doesn’t respect the “Whole Word” setting set in the “Quick Find” panel, like it does with case sensitivity.

super+option+g (find_under) doesn’t respect it.
super+d (find_under_expand) doesn’t respect it either.

Unless you don’t actually highlight the word you’d like to search for. If you allow either command to naturally select the word (with whatever word boundary you have set), it will assume you meant to look for only this word.

Thu. June 13, 2013 @ 12:00 pm

git —rebase —interactive <current base>

Sometimes you need to maintain the existing base of a topic branch while futzing with your history (e.g., delete or squash commits). So I could look through git log or gitx (gee, yeah I still find the original version better than most new stuff), to find the current base of my existing fork (E is the current base for topic).

          A---B---C topic
         /
    D---E---F---G master

… or I could write a git alias for it!

[alias]
rim = !"git rebase -i $(git rev-parse $(git log HEAD --not master --reverse --format=format:%H | head -n1)^)"

So “git rim” automatically finds the current base (or master), and rebases against it.

Fri. November 30, 2012 @ 10:17 am

Bookmarklet: Enable Autocomplete

Every once in awhile you run across sites that have disabled the Autofill in forms. Copy and paste this into a bookmark to enable them again.

Bookmarklet: Enable Autocomplete

Code:

var forms = document.getElementsByTagName("form");
var inputs = document.getElementsByTagName("input");
var fields = Array.prototype.concat.apply(Array.prototype.slice.call(forms, 0), inputs);
for (var i = 0; i < fields.length; i++) {
    fields[i].setAttribute("autocomplete", "on");
    fields[i].onpaste = null;
    if (window.jQuery) {
        window.jQuery(fields[i]).unbind("paste");
    }
}
Wed. December 14, 2011 @ 6:24 pm

Javascript Eval: A lesser Evil?

The evilness of window.eval has been beaten to death. I’ll save you a recap, but the biggest drawback is its potential for XSS. However, there are still valid (though limited) uses of eval—mostly to parse JSON when native methods are not available.

Futzing around, I noticed that it possible to execute javascript without eval.

var div = document.createElement("div");
div.innerHTML = "<input onchange=\"alert('hi');\" />";
div.firstChild.onchange();

There isn’t much to gain from this. But if moved into an iframe and fire the onclick event rather than calling it directly, could it be possible to dereference the parent window? That might allow a more secure state for using our new “eval”.

The following does just this. The parent window is detached by first removing the iframe from the document. Afterward, window.top no longer references the parent window.

window.SECRET = "!"; // something to hide!
window.IFRAME = document.createElement("iframe");
document.lastChild.appendChild(IFRAME); 
var doc = IFRAME.contentWindow.document;
doc.open();
doc.write("<input onclick=\"" + 
    "var c = top.console; " + 
    "c.log('Secret: ' + top.SECRET); " + 
    "top.IFRAME.parentNode.removeChild(top.IFRAME); " +
    "c.log('Secret: ' + (top && top.SECRET ? top.SECRET : 'Whaa!')); " + 
    "\" />");
doc.close();
var input = doc.getElementsByTagName("input")[0];
if (doc.createEvent) {
    var event = doc.createEvent("MouseEvent");
    event.initMouseEvent("click", true, true, window, 0, 0, 0, 0, 0, 
        false, false, false, false, 0, null);
    input.dispatchEvent(event);
} else if (doc.fireEvent) {
    input.fireEvent("onclick");
}

Prints:

Secret: 1
Secret: Whaa!

Example

I’ve mocked up a simple test using this concept. Enter javascript below and run. Note: you won’t have access to any of the usual functions (alert, console, etc.).

Tested in IE, Chrome, and Firefox. (working out some of the kinks of this demo - bare with me :)