Scripting Reference

← Back to Documentation

This page contains example scripts, and a list of all functions available when writing scripts in A11y Pulse. To learn how to add scripts to your sites in A11y Pulse, please see the Scripting documentation.

Contents:

• Available functions
  • navigate(url)
  • fill(selector, value)
  • click(selector)
  • submit(selector)
  • setHeader(name, value, filter?)
  • secret(name)
• Example scripts
  • Log into an application
  • Set request headers

Available functions

navigate(url)

Load the specified URL and wait for network activity to stop. The URLs must include the protocol e.g. https://.

Example

navigate("https://www.w3.org/");

fill(selector, value)

Set the value of the first element matching selector. This will work for <input>, <textarea>, and <select> elements. Any Puppeteer selector can be used.

Example

// CSS selectors can be used
fill("#country", "New Zealand");
fill(".form .fieldset > input", "Hello");

// XPath works with the `xpath/` prefix
fill('xpath///button[@type="submit"]/ancestor::form//input', "abc123");

click(selector)

Click on the first element matching selector, then wait for any network activity to stop. Any Puppeteer selector can be used.

Example

click("button[type=submit]");

submit(selector)

Call the .submit() function of the first element matching selector, then wait for any network activity to stop. Any Puppeteer selector can be used. This is useful when you don’t know which button to click to submit a form.

Example

submit("form:has(input[name=password])");

setHeader(name, value, filter?)

Set a header on outgoing requests, optionally filtering by URL. The filter supports simple wildcards using the asterisk * character. If no filter is specified, the header will be applied to all requests. We do not recommend doing this, as it can cause cross-origin (CORS) errors.

Example

// Add basic authentication to all requests.
setHeader("authorization", "Basic YWxhZGRpbjpvcGVuc2VzYW1l");

// Add a custom header to all requests on cdn.a11ypulse.com.
setHeader("x-cache-debug", "1", "https://cdn.a11ypulse.com/*");

// Add a cache-control header to any /favicon.ico requests.
setHeader("cache-control", "none", "*/favicon.ico");

secret(name)

Read the plaintext value of a named secret from your team’s Secrets settings. Secrets are encrypted at rest and never stored or logged in plain text. The value is resolved at the start of each scan. If the named secret does not exist, the scan will fail with a descriptive error.

secret() can be used anywhere a string value is accepted, such as the second argument to fill().

Example

// Fill a password field using a stored secret.
fill("input[name=password]", secret("MY_PASSWORD"));

Example scripts

Log into an application

// You can add comments to your script to help others understand them.
//
// Open the login page.
navigate("https://app.a11ypulse.com/auth/login");

// Fill out the username and password fields.
// Use secret() to avoid storing credentials in plain text.
fill("input[name=email]", "[email protected]");
fill("input[name=password]", secret("MY_PASSWORD"));

// Click the login button.
click("button[type=submit]");

// Alternatively, submit the login form.
// submit("form:has(input[name=password])");

Set request headers

// Add basic authentication to all requests.
setHeader("authorization", "Basic YWxhZGRpbjpvcGVuc2VzYW1l");

// Add a custom header to all requests on cdn.a11ypulse.com.
setHeader("x-cache-debug", "1", "https://cdn.a11ypulse.com/*");

// Add a cache-control header to any /favicon.ico requests.
setHeader("cache-control", "none", "*/favicon.ico");

// Open the page to be scanned.
navigate("https://www.a11ypulse.com/");