Complex Commands
This document lists the set of Visual Studio Code complex commands. They are called complex commands because they require parameters and often return a value. You can use the commands in conjunction with the executeCommand
API.
The following is a sample of how to preview a HTML document:
|
Commands
vscode.executeWorkspaceSymbolProvider
- Execute all workspace symbol provider.
- query Search string
- (returns) A promise that resolves to an array of SymbolInformation-instances.
vscode.executeDefinitionProvider
- Execute all definition provider.
- uri Uri of a text document
- position Position of a symbol
- (returns) A promise that resolves to an array of Location-instances.
vscode.executeImplementationProvider
- Execute all implementation providers.
- uri Uri of a text document
- position Position of a symbol
- (returns) A promise that resolves to an array of Location-instance.
vscode.executeHoverProvider
- Execute all hover provider.
- uri Uri of a text document
- position Position of a symbol
- (returns) A promise that resolves to an array of Hover-instances.
vscode.executeDocumentHighlights
- Execute document highlight provider.
- uri Uri of a text document
- position Position in a text document
- (returns) A promise that resolves to an array of DocumentHighlight-instances.
vscode.executeReferenceProvider
- Execute reference provider.
- uri Uri of a text document
- position Position in a text document
- (returns) A promise that resolves to an array of Location-instances.
vscode.executeDocumentRenameProvider
- Execute rename provider.
- uri Uri of a text document
- position Position in a text document
- newName The new symbol name
- (returns) A promise that resolves to a WorkspaceEdit.
vscode.executeSignatureHelpProvider
- Execute signature help provider.
- uri Uri of a text document
- position Position in a text document
- triggerCharacter (optional) Trigger signature help when the user types the character, like
,
or(
- (returns) A promise that resolves to SignatureHelp.
vscode.executeDocumentSymbolProvider
- Execute document symbol provider.
- uri Uri of a text document
- (returns) A promise that resolves to an array of SymbolInformation-instances.
vscode.executeCompletionItemProvider
- Execute completion item provider.
- uri Uri of a text document
- position Position in a text document
- triggerCharacter (optional) Trigger completion when the user types the character, like
,
or(
- (returns) A promise that resolves to a CompletionList-instance.
vscode.executeCodeActionProvider
- Execute code action provider.
- uri Uri of a text document
- range Range in a text document
- (returns) A promise that resolves to an array of Command-instances.
vscode.executeCodeLensProvider
- Execute CodeLens provider.
- uri Uri of a text document
- (returns) A promise that resolves to an array of CodeLens-instances.
vscode.executeFormatDocumentProvider
- Execute document format provider.
- uri Uri of a text document
- options Formatting options
- (returns) A promise that resolves to an array of TextEdits.
vscode.executeFormatRangeProvider
- Execute range format provider.
- uri Uri of a text document
- range Range in a text document
- options Formatting options
- (returns) A promise that resolves to an array of TextEdits.
vscode.executeFormatOnTypeProvider
- Execute document format provider.
- uri Uri of a text document
- position Position in a text document
- ch Character that got typed
- options Formatting options
- (returns) A promise that resolves to an array of TextEdits.
vscode.executeLinkProvider
- Execute document link provider.
- uri Uri of a text document
- (returns) A promise that resolves to an array of DocumentLink-instances.
vscode.previewHtml
- Render the HTML of the resource in an editor view.
- uri Uri of the resource to preview.
- column (optional) Column in which to preview.
- label (optional) An human readable string that is used as title for the preview.
See working with the HTML preview for more information about the HTML preview’s integration with the editor and for best practices for extension authors.
vscode.openFolder
- Open a folder in the current window or new window depending on the newWindow argument. Note that opening in the same window will shutdown the current extension host process and start a new one on the given folder unless the newWindow parameter is set to true.
- uri (optional) Uri of the folder to open. If not provided, a native dialog will ask the user for the folder
- newWindow (optional) Whether to open the folder in a new window or the same. Defaults to opening in the same window.
vscode.startDebug
- Start a debugging session.
- configuration (optional) Name of the debug configuration from ‘launch.json’ to use. Or a configuration json object to use.
vscode.diff
- Opens the provided resources in the diff editor to compare their contents.
- left Left-hand side resource of the diff editor
- right Right-hand side resource of the diff editor
- title (optional) Human readable title for the diff editor
- options (optional) Editor options, see vscode.TextDocumentShowOptions
vscode.open
- Opens the provided resource in the editor. Can be a text or binary file, or a http(s) url
- resource Resource to open
- column (optional) Column in which to open
cursorMove
- Move cursor to a logical position in the view
Cursor move argument object
Property-value pairs that can be passed through this argument:
‘to’: A mandatory logical position value providing where to move the cursor.
'left', 'right', 'up', 'down''wrappedLineStart', 'wrappedLineEnd', 'wrappedLineColumnCenter''wrappedLineFirstNonWhitespaceCharacter', 'wrappedLineLastNonWhitespaceCharacter''viewPortTop', 'viewPortCenter', 'viewPortBottom', 'viewPortIfOutside'‘by’: Unit to move. Default is computed based on ‘to’ value.
'line', 'wrappedLine', 'character', 'halfLine'‘value’: Number of units to move. Default is ‘1’.
- ‘select’: If ‘true’ makes the selection. Default is ‘false’.
editorScroll
- Scroll editor in the given direction
Editor scroll argument object
Property-value pairs that can be passed through this argument:
‘to’: A mandatory direction value.
'up', 'down'‘by’: Unit to move. Default is computed based on ‘to’ value.
'line', 'wrappedLine', 'page', 'halfPage'‘value’: Number of units to move. Default is ‘1’.
- ‘revealCursor’: If ‘true’ reveals the cursor if it is outside view port.
revealLine
- Reveal the given line at the given logical position
Reveal line argument object
Property-value pairs that can be passed through this argument:
- ‘lineNumber’: A mandatory line number value.
- ‘at’: Logical position at which line has to be revealed .'top', 'center', 'bottom'
editor.unfold
- Unfold the content in the editor
Unfold editor argument
Property-value pairs that can be passed through this argument:
- ‘level’: Number of levels to unfold
editor.fold
- Fold the content in the editor
Fold editor argument
Property-value pairs that can be passed through this argument:
- ‘levels’: Number of levels to fold
- ‘up’: If ‘true’, folds given number of levels up otherwise folds down
editor.action.showReferences
- Show references at a position in a file
- uri The text document in which to show references
- position The position at which to show
- locations An array of locations.
moveActiveEditor
- Move the active editor by tabs or groups
Active editor move argument
Argument Properties:
- ‘to’: String value providing where to move.
- ‘by’: String value providing the unit for move. By tab or by group.
- ‘value’: Number value providing how many positions or an absolute position to move.
Working With the HTML Preview
Styling
The body element of the displayed HTML is dynamically annotated with one of the following CSS classes in order to communicate the kind of color theme VS Code is currently using: vscode-light
, vscode-dark
, or vscode-high-contrast
.
Links
Links contained in the document will be handled by VS Code whereby it supports file
-resources and virtual resources as well as triggering commands using the command
scheme. Use the query part of a command-uri to pass along JSON encoded arguments. Note that URL encoding must be applied.
The snippet below defines a command link that calls the previewHtml command and passes along an URI:
|
Security Tips
As an extension author, if you use an HTML preview, you are responsible for protecting users from potentially malicious content. The primary danger is that an attacker could craft a malicious workspace that uses your HTML preview to execute scripts or perform other insecure activities. In addition to normal web security best practices, here are a few specific tips and tricks to help protect users.
Sanitizing Content
As a first line of defense, when constructing an HTML document for the preview, make sure to appropriately sanitize all input that comes from workspace settings or from files on a user’s system. For HTML content, consider using a whitelist of safe tags and attributes. Libraries such as sanitize-html can help with this.
Disabling Scripts
If your preview does not need to execute JavaScript, you can further enhance security by disabling script execution entirely. One way to accomplish this is by loading untrusted content inside of an iframe
with the sandbox
attribute set. In this case, the content would be loaded using the srcdoc
attribute:
|
If your preview still needs to load some local resources such as images, try using sandbox="allow-same-origin"
instead:
|
sandbox="allow-same-origin"
disables script execution inside the iframe
but allows loading resources from a user’s system, such as stylesheets and images. In general, it is best to disable access to local resources unless your preview absolutely needs it.
Using a Content Security Policy
If your preview’s functionality depends on scripts, consider disabling scripts that come from untrusted user content using a content security policy. Content security policy allow fine grained control over which resources may be loaded.
For example, here’s a content security policy that allows images from anywhere, allows stylesheets from a user’s local system, and disables all scripts:
|
To selectively enable scripts, the best approach for the HTML preview is to use a dynamically generated nonce to whitelist certain trusted scripts:
|