Uzbl News 2010.01.05: Nasty security bug 2010-01-05 Simon Lipp brought to our attention a nasty security bug.
Apparently there are ways for javascripts from a website to reach our 'Uzbl'
object an use its "run" function, by using DOM method overriding, stack
inspection and maybe more.
I'm far from an expert in the field so I suggest you check the thread
on the mailing list for more details.
But basically, if site admins modify their JS they can use the 'Uzbl.run'
feature to execute uzbl commands (such as shell commands).
One of the many possible exploits is demonstrated here.
It will show you the output of 'cat /etc/fstab'.

So do not run any uzbl version that has the 'Uzbl.run' feature (was
introduced at release 2009-07-03).

We're currently finding out how to plug this hole decently without loosing
features, but for now you should use this new release which is nothing more then 2009.11.22 with the
Uzbl object disabled.
This will break local javascripts who rely on it, such as:
- link follower scripts
- scroll-percentage.js (used for displaying the scroll percentage in statusbar)
- extedit.js (used for editing html textareas with external editor)
- js code in config to focus input area on pageload and change mode depending on focus.

All my git branches also have this temporary fix applied



Dieter

 2009.11.07: A huge makeover. The second phase in the life of uzbl 2009-11-07 For the last two months, Rob Manea and Mason Larobina have been doing truly awesome work
giving uzbl a much needed makeover and today, all those changes should be ready for
wider consumption.
Various patches were also contributed by Barak P, Brendan T, David K, Maximilian
G, Olivier S and yours truly. (authors file)

Hilights:

  • splitup and better separation of concerns: uzbl-core, uzbl-browser and uzbl-tabbed.
    Basically:

    • Uzbl-core is the old uzbl, minus the built-in event handling,
      and minus the keyboard interface. (statusbar is still there, but more flexible)
    • Uzbl-browser is a complete, "working out of the box" browser
      implementation based on uzbl-core and many of the scripts we already
      knew. It handles a lot of the events from uzbl-core, it also handles
      keyboard input, it updates the statusbar when appropriate, and also some more things.. (read on)
    • Uzbl-tabbed is the old uzbl-tabbed, but refactored to work with the new
      uzbl-browser. (note: this is not done yet. uzbl-tabbed is broken in this
      release, you'll have to wait a bit or try out jake's C++ tab manager)



    For more information, refer to the readme.

  • EM (event manager) instead of handlers : very finegrained, language agnostic way to handle
    events: anytime anything happens, uzbl-core emits a message on stdout
    and/or over a socketfile, so you can handle everything (or not) however
    you want. The only remaining handlers right now are cookie, download and
    scheme. On the long term we want to shift all of those to the events
    system, but then we'd need synchronous events..
  • Much better keybinds (support for special keys, everything is configurable, better
    Modkeys, more generic/flexible modes). Your old binding strings should be backwards
    compatible, but the way binds are defined is now different.
  • ability to add entries to the various context menus
  • print support
  • and much more
  • the website and docs have also had an overhaul to reflect these changes



I highly recommend you study the new sample config carefully. A lot of
things have changed, and a lot of things are now possible which weren't
before. Many of these things are now demonstrated in the sample config.

Also, if you were using many of the example scripts from the old uzbl, you
probably now just want 'uzbl-browser'. It comes with all the scripts by
default, so you can remove them all in your XDG* dirs (unless you want to
override them).



PS: If you run uzbl on the commandline, you'll see a lot of 'Gtk-WARNING **: Ran out of
links' messages. We haven't figured out yet what these are but they seem
harmless.

Dieter

 Uzbl @ fosdem 2010 2010-01-24 I will be doing a lightningtalk about uzbl at the fosdem
conference in Brussels on 6/7 february.
more info.

I hope to see you all there!

Dieter 2009.08.26: scheme_handler, cookies_daemon.py and some fixes 2009-08-26 - scheme_handler: lets you define actions for url's who begin with 'mailto:', 'git:', 'irc:' and so on. (thanks to Tom Adams)

- cookie_daemon.py: based on cookies.py, but now in daemon implementation for fast performance.
For usage instructions and more info see cookie_daemon.py wiki page
(Thanks Mason Larobina)

- download handler gets same proxy setting as uzbl (Paweł Zuzelski),

- Home/End keys forwarding


- 2009.08.26 tree
- 2009.08.26 tgz


Dieter 2010.02.02: Uzbl-tabbed and linkfollowing back from the dead 2010-02-02 A lot of patches have been piling up lately. Looking back I'm suprised
myself so much has changed again.

First the awesome news:
- Uzbl-tabbed is working again. Simon Lipp has done some great work
refactoring it so that it works again after the big 2009.11.07 overhaul.
It now uses uzbl events to control its behavior, which you can bind with
the keybinding system from uzbl-core. Have a look at the added tabbed
bindings in the config file.
Also various other improvements have been made to it by him and Mason.
- We have a new link follower script (follow.js). Not only brings this back
linkfollowing after it broke in 2010.01.05 (this one doesn't depend on the
Uzbl object), but you can actually configure which keys you want to use for
hinting. Hence we dropped follow_Numbers.js and follow_Numbers_Strings.js.
Thanks Jason Woofenden and 'tczy'.

Then the good news:
- README cleanup (Daniel M. Hackney)
- FAQ additions/updates (me)
- config cleanup, added uzbl-tabbed bindings (Mason)
- various fixes to various python scripts/plugins (Mason)
- remove all references to Uzbl object and jsh in config. Middleclick-bind
and yanking are working again, they are implemented in sh (Mason)
- scrollbars_visible option (Simon Lipp)
- some uriencode url fixes (Mason)
- print_events (to stdout) option for uzbl-core (Simon Lipp)
- argument expansion EM plugin (Mason)
- cleaner buildprocess (don't force binary stripping, better sandbox, ... ) (Pawel, Mason, me)
- directory reorganisation (me)
- better javascript error handling (Simon Lipp)
- strip leading whitespace from uri (Paweł Zuzelski)
- various other thingies...

The somewhat bad news:
scroll-percentage.js, extedit.js, auto-insert-mode-on-field-focus and
similar tricks are still broken.
We're still figuring out how to bring back the Uzbl object (or something
similar) in a secure way.
We will probably use Google's isolated worlds but it's not yet ported to WebkitGtk+.



Hope I didn't forget anything...

Dieter

 2009.12.22: Mode-specific keybinds and stuff 2009-12-22 - mode-specific keybinds
- executing commands through shell or directly
- loading javascript from file
- better sandbox in build environment
- COMMIT variable setting when building from tarball. For all nice packagers out there.
- geometry=maximized support
- reset keycmd correctly in linkfollow scripts
- create socket before daemonizing python daemons
- various fixes and patches
- and more...

See readme and new (sample)config for details.
(this stuff is backwards compatible. your old config will still work)

Thanks to Ciprian Dorin Craciun, Jason Woofenden, 'Vithon' and the usual suspects.



Dieter

 Projects based on / inspired by Uzbl 2009-09-06 Sometimes people disagree on some aspects and start their own project.
Or they want more, and build something new on top of the existing codebase.
Here is a list of all uzbl-based/inspired projects I'm aware of:

- uzbl_tabbed: Python-based wrapper around uzbl (using Xembed) which provides tabs.
This script is included with uzbl, in the examples directory.
(started by Tom Adams and currently led by Mason Larobina)
- pyweb: A browser ('framework') in python, inspired by uzbl.
The main point here is complete integration with python, and hence compromiseless flexibility (if you like python)
(led by Tom Adams)
- surf: I think I can best describe it as: 'Surf is to Uzbl what dwm is to wmii.'
Their codebase is smaller, but if you want to customize/integrate you'll need to hack some C. (suckless.org)
- ffuzbl:
A firefox add-on which brings the look and feel of uzbl to firefox. (but doesn't use uzbl itself) (Azer Koculu)
- Ezbl: Probably the youngest of them all;
this project aims to provide a browser in emacs by embedding uzbl using Xembed. (Daniel Hackney)

I also would like to port uzbl to / package uzbl for the n900.
I have a project page (uzbl mobile) but didn't
find the time to work on it yet.

Dieter

PS: We're currently hacking and refactoring 'events' in uzbl.
It will be much easier to handle all kinds of events (better then the current handlers) and also we'll be able to improve the keybind system a lot.
(See mailing list post for details) 2009.09.12: many refactorings, fixes and improvements 2009-09-12 - uzbl: deprecate the history_handler variable. The script stays, but you can bind to load_finish_handler. (Tom Adams)
- uzbl: more sensible (better performing) max_conns and max_conns_host (me)
- uzbl: don't hardcode keycmd clearing on load_start and make it optional (Tom Adams)
- uzbl: always_insert_mode fix (James S Wheaton)
- cookie_daemon.py: domain whitelisting (Michael Fiano)
- cookie_daemon.py: initscript-like {start|stop|restart|reload} commands (Mason Larobina)
- cookie_daemon.py: prevent duplicate daemons (Mason Larobina)
- uzbl_tabbed: multiline tablist (Jake Probst)
- uzbl_tabbed: bring_to_front (Devon Jones)
- Makefile: /usr/local prefix by default (Tom Adams)
- configs: don't put things like hostname in default user-agent (me)
- various code cleanups and improvements
- deprecate uzblctrl in favor of the more generic socat tool. (Tom Adams)


- 2009.09.12 tree
- 2009.09.12 tgz

In the meanwhile, the event-messages branch has been moved into experimental.
The diff is huge, it's still a work in progress but everyone clearly agrees that this is "the future".
It will bring many improvements, such as binding of special keys, a good implementation of Modkeys
and finegrained event handling in whichever (scripting) language you want.
See this mailing list thread for more details.

Dieter 2 Months of hacking (working). A status update. 2009-06-21 Depending on who you ask, you'll get various opinions on the state and
usability of uzbl. Some people are already using it full-time, others are
waiting for (or hacking on) one or two specific features they really want.
For me personally, what I still consider must-haves that are not finished
yet:
- better (faster) way of doing cookies, using one process instead of forking expensive python scripts all the time. (this is being worked on)
- a good instance management script that considers tag/name/page state etc.

Others seem to want:
- DOM access from C ~ better link following. (this is being worked on)
- greasemonkey and fancier JS extensions. (this is being worked on)
- a slightly more versatile configuration language (being worked on)
- refactoring keyboard shortcut interface


But other then that, yeah uzbl is pretty usable.

Also, I don't know about you but I just love (random) statistics so here you
go:
- peak amount of people on IRC: 83
- project followers on github: 95
- mailing list messages: 101
- commits (experimental): 1123
- lines of C code: 3198 (I hope this doesn't rise too much anymore)
- lines of code in sample scripts: 1341
- contributors: 27 (including myself)
- website visits: 33.600 (12.681 on may 26th, the day we were on HackerNews)

Furthermore, it seems like the wiki also started flourishing:
The howtos section lists tutorials for Gentoo, Debian, Ubuntu, PLD, MacOSX and NixOS.
And on the scripts and config pages people are posting really cool stuff.

Dieter. 2009.11.30: Bugfixes and two cool new scripts 2009-11-30 Apparently the argument expansion of the `script` command was kinda
broken for a while, which caused - among others - the linkfollower scripts to
stop working, this release brings a fix and more cool stuff.
Changes:

  • Scroll-percentage display script (like emacs and vim)
  • Script to edit textareas and other editables in external editor
  • Clean up sockets/fifos on SIGSEGV and other relevant signals (should fix most "fifo already exists" problems)
  • Fix malfunctioning parameter expansion when executing javascripts
  • Don't hardcode WM class


Thanks to Aldrik Dunbar (aka 'N3ON') for the scroll-percentage script and Rob and Mason
for their good work as usual.

Two more notes:

  • The 'Ran out of links' warnings are caused by a regression in GTK. This is now fixed upstream
  • The linkfollower scripts need a big makeover. See this thread for more info.





Dieter

 Some updates 2009-05-08 Various things have been improved/added recently. Here are the main ones.
I may have forgotten some.

- Keyboard based link following (uses link numbering for now)
- Customizable statusbar (both in what it shows, and in colors)
- Network settings (max connections, proxy, user agent (with variable replacement))
- Searching
- multichar key bindings
- bindings that can use arguments (other browsers call this "keywords")

You can find these new goodies in the master and experimental branches.
Don't forget to have a good look at the sample configs and scripts, and the
docs.

Thanks to all contributors!

We also have a logo now, thanks Thorsten Wilms!

TODO:
- some sort of "multiple instances management" (Not saying tabs)
- cookies
- much more

screenshot thumbnail 2009.08.08: fast cookies (WIP), custom variables, default font_families and more 2009-08-08 - talk_to_socket command: yeah baby this is it. With this thing you can
have handlers running in the background listening on a socket. You can
use this for fast communication with handlers instead of respawning them
all the time. You can try lwithers' cookie handler
but some people are also working on a python one.
Note that the current example config still uses the slower
spawn command!
We will improve this in the future to ship a socket based handler and use
talk_to_socket by default.
- removed html_mode in favor of "data URI scheme"
- custom variables: you can now set your own variables in your scripts and
config file and use them whereever you want.
- setting of default font_families.
- uzbl_tabbed.py:
* on the fly session saving and loading
* cleanup itself after being SIGTERM'd or SIGINT'd from the terminal
* re-factored fifo code


Get it while it's hot:
- 2009.08.08 tree
- 2009.08.08 tgz


Again, a huge thanks to all contributors!
They are the ones making this happen.

Dieter Xembed, more useful sample configs/scripts and more. 2009-06-20 Master branch now contains/supports:
- Gtk Plug/Socket (Xembed), comes with sample python script for tabbing uzbl
- a simpler way to play/test/develop/use for real:
The same config file and set of scripts can now used for all situations, by just overriding the XDG variables.
- patches for building on some different *nixes (BSD,OSX)
- bugfix for segfault on multibyte backspacing.
- Gtk icon.
- Zoom type toggle (full content vs only text)

There is a lot of stuff pending to be merged in experimental as well
(javascript/greasemonkey/DOM exposure/full duplex socket/uzbl config language features,..), so stay tuned!

As usual, thanks to all contributors.
The list just keeps growing and growing.

Screenshot First prototype 2009-04-27 We have something usable now. You can run uzbl and try out the browsing and loading new url's from history and/or bookmark file. Editing url's is a bit cumbersome for now.
Please see README to get you started. Building instructions are on this site. Mailing list 2009-05-23 We now have a mailing list: uzbl-dev@lists.uzbl.org
This will be the place for discussions.

For more info, see the new community page. More goodies 2009-05-26 The uzbl project is now just over one month old. To celebrate that we bring you the following goodies in the master branch:
- sample script "form filler". aids in creating and running per-domain configs for auto-filling of html form values. ( eg "remember password" but more flexible)
- various more things to tune (autoload_images, enable_spellcheck, disable_scripts, resizeable_text_areas, default_encoding and more)
- Html mode so you can `use | uzbl | like this` and do really fancy things.
- Webkit inspector
- loading of JS in files
- slightly improved command syntax (see example configs)
- bugfixes and many small improvements (suprise !)
- better documentation

As usual, don't have too high expectations. We are not even alpha yet...
We've seen again great interest and input from many people. Thanks a lot guys and girls.

Screenshot Cool new stuff. First release. And a nice community contribution... 2009-07-03 Hi. I intend to make the lives of downstream packagers a little easier so I
will call my master tags "releases" and provide links to tarballs.
Expect a new release every few weeks or so.

So here is the first uzbl alpha release, version 2009.07.03
- tree
- tgz

This version brings:
- A JS object to execute commands (be sure to read the security implications in the readme)
- config file changes: command substitution, variable expansion, javascript substitution
- bidirectional socket (responses come back through the socket now)
- reading config from stdin is optional now (so you can background uzbl)
- Makefile compat fix, typos, cookies.py XDG paths bugfix and more small stuff

For people with crappy window managers or on platforms
over which they have very little control (*cough* you know who you are),
lazy ones or just those who haven't seen the light yet,
there is more good news:
Some people in the community have taken it on them to improve
uzbl_tabbed.py.. a lot! (uzbl_tabbed.py was the proof of concept script
introduced 2 weeks ago to demonstrate the Xembed functionality)
While it is quite new, I must say it is starting to look quite nice (and
configurable).
It's not for everyone, but I think some people will really like it.
You'll find this updated version in the example scripts directory.

Screenshot
Screenshot


More info: Uzbl wiki: uzbl tabbed

PS: There are still plenty of patches in my todo list. Give me some more time :)

kthxbye.
Dieter More updates 2009-05-17 The master branch is again in sync with the experimental one and brings you these features:
- overhauled the config system. no more ini-files. We now use files with commands in the same syntax as what you write to the fifo/pipes etc.
- Entire configuration can be altered at runtime.
- more advanced binding and command parsing options (see sample config)
- support for dmenu-vertical (see screenshot). The sample scripts allow you to also search in page titles, bookmark tags etc if you have dmenu-vertical installed
- customizable window title
- massive documentation updates, which are also reflected on the website
- and quite a lot smaller fixes, additions and sample scripts...

As usual, plenty of people have been contributing to uzbl, and we keep welcoming new people.
See the AUTHORS file for details.
Thanks all!

screenshot thumbnail


Dieter 2009.11.29: Completion plugin, mouse events, better scrolling and more. 2009-11-29 Changes:

  • Keycmd completion plugin (see below) (Mason)
  • Mousebutton events (not yet combinable with modkeys) (Rob)
  • Improved scroll command (Nicolas Pouillard)
  • Security fixes in download.sh and scheme.py (Andy Spencer)
  • search_clear command to clear search string (Rob)
  • Give all executables in $PATH 'uzbl-' prefix (Dieter)
  • Socket I/O fixes (Rob)
  • better utf-8 handling with KEY_PRESS/RELEASE (Rob)
  • Point to correct prefix in default config (Dieter)
  • New events: PLUG_CREATED, COMMAND_ERROR, BUILTINS (Rob)
  • Removal of deprecated yank, clipboard, cookies.py scripts (Dieter)
  • Stacked bindings work from the insert mode now. (Mason)
  • MODKEY_ADDITION request to group multiple modkeys as one (Mason)
  • IGNORE_KEY request to customize which keys to ignore. This also allows non-english users
    to ignore function keys they need to press to access
    special characters without those keys registering as a modkey action.
    (Mason)
  • Many various fixes and improvements in code and documentation. big TODO cleanup



Keycmd completion plugin:
This plugin for the event manager (used in uzbl-browser) completes:

  • variablenames (with '@' prefix)
  • commands
  • variablenames in the set command (without '@' prefix)


The completion plugin aims to behave as similar to bash completion as possible.
When you press 'Tab':

  • If there is only one possible completion, it will complete right away
  • Otherwise, the keycmd will expand to complete as much as possible and will show you all options
    when you press 'Tab' again
  • If the keyword is in the completion list and you press 'Tab' again a space will be injected
    into the keycmd, in the case of set completion a ' = ' will be injected instead.



Screenshot



Dieter

 Cookies, custom stylesheets, and more. 2009-06-06 Master branch now contains/supports:
- basic cookie support. it just stores all cookies and submits them again when visiting the same domain. No policies or complete implementation yet. (EXPERIMENTAL)
- override page layouts with custom stylesheets
- improved formfiller and linkfollow scripts
- merged the concepts of actions and commands. you'll need to compare your configs and scripts again to the sample files. argument order may be different too.
- command chainging (multiple commands in one go)
- variable expansions in your configs and commands
- 'data:' and 'javascript:' urls
- setting the zoomlevel (eg set to 1.0 to reset zooming)
- dumping your entire configuration to stdout
- customize insert/command indicators
- should compile on BSD
- compiles as c99
- Makefile $PREFIX support
- bugfixes and many small improvements (suprise !)
The bug that bothered many people, that is when launching uzbl it would load the uri set in your config instead of the one passed on the command line, is fixed.

Thanks to all contributors. The mostly-uzbl website 2009-04-26 Uzbl now has a website, while there isn't much on it right now, I have a TODO list of features to implement. Like a news RSS feed. Possibly a simple forum in the future. Whatever. So, this will serve as the project's home page from now on :) Wiki 2009-05-23 There is now a wiki, to share Uzbl configs, scripts, screenshots, and suchlike. Segfaults with WebkitGtk 1.1.15.3 2009-10-24 Are you getting segfaults since you upgraded your libwebkit?
Try downgrading it to 1.1.15.2 or earlier.
The WebkitGtk guys told me they will do a bugfix release, but we impatient Arch users
can check:

- /var/cache/pacman/pkg/libwebkit-1.1.1*
- the (unofficial) Arch Rollback Machine

Btw: we're also preparing a new Uzbl release, based on the huge improvements
Rob and Mason have been doing (much better command interface/key handling/events/refactorings/..)
If you want to get a sneak preview, try out the experimental tree.

UPDATE: you can also use a new webkit version if you compile enchant with "--disable-zemberek"

Dieter 2009.07.18: unit testing, better variable expansion, new_window handler and more 2009-07-18 I recently introduced a new contribution workflow which
allows us to handle contributions more transparantly and efficiently, and
thanks to it, I've been able to integrate a lot of pending code.

So, a 5818 lines changeset brings:
- a unit testing framework
- better variable expansion with support for constants and html escaping.
- delete our old Gscanner based keyword replacer, we now use our variable expansion everywhere.
Note that you probably have variables such as KEYCMD, MODE, UNAME, COMMIT etc in your user
agent/statusbar, these will need to be replaced with the new variables/constants.
Look at the sample config and readme for details.
- documentation updates (a list of all possible variables and constants, among others)
- customizable "new window" handler for links with target="_blank" and such
- address scheme parameter for cookie handlers (sample cookie handlers are updated)
- cookies.py should now also work better with gmail and facebook.
- support for calling: `uzbl example.com` (eg you don't need the `-u` flag
anymore), which helps integration with some other tools such as urxvt and Xfce.
- added `--version` argument to see commit hash.
- added `--geometry` flag to start uzbl with given geometry/position.
- cleaned up sample config a bit
- portability improvements (use more posix sh, work with gmake on BSD etc)
- several small fixes and cleanups


Get it while it's hot:
- 2009.07.18 tree
- 2009.07.18 tgz


Note: uzbl can still be quite slow if you're using a cookie handler. This
is because we spawn a new process (and a script for that matter) for each
single http request. We're working on resolving this...

Again, a huge thanks to the plenty of people who've done contributions!

Dieter