Just tell us what it is, already!
In search of links
On this occasion we were using ASK Responder to try emulating in a custom skill the link fields used in flash briefing skills. In so doing, we were modifying Responder on the backend, while using Chrome's developer utilities to watch the HTTP transactions on the companion apps. In inspecting the flash briefing content for another skill (NPR on TuneIn) we noticed something curious - the text did not match exactly what we were seeing rendered. Specifically, we were seeing this strange looking pattern in the "subtitle" field:
All the functions we found
- None of these work in the card's title, only in the body.
- They all work in both Standard and Simple cards. (Note: "flash briefing cards" are actually just Standard Cards with a few specific fields).
- The date functions all work pretty similarly, and are all valid for both card types.
- We couldn't get any of the logic functions (if_eq, if_num, etc) to work. They all take an object (with a kind of funny format, actually) as input . We tried hard to make this work. Like, really hard. Our hope was that these functions would be the key to opening up more functionality, but we could never get a well-formed object to make it that far into the stack.
- The "getImage" function initially caught our eyes as promising. It turns out they're not, though. It's nothing more than a map of image name -> image path.
- There are a bunch of functions (icon, check box, etc) that will give you back some markup, which you can proudly display as text in your card. Not helpful in any way.
- Speaking of icon, it's pretty heavily used in other parts of the UI to build links and such.
Uses, open questions, and whatnot
Our primary thoughts on things at present are:
- There are only a few functions that could be of any use. The datetime functions allow you to use unix epoch and still have content render in the timezone of the user's device. There are also a few functions (pluralize, escape, etc) which could definitely be used if you were too lazy to handle things server-side.
- "if_num" (and its brethren) still feels like the key here. If, somehow, you can describe an object with a .inverse or .fn function on it, and get that object to survive all the way to the point if_num triggers, you will have gained the ability to execute arbitrary code. This would give us card links, and much more. (It's worth noting that, as this is JS injection, it could also be used for evil). Unfortunately there's a rather infuriating regular expression that keeps breaking our attempts at this.
- What's going on with all the constants? There's a ton of stuff in there that we don't see used. What are "salmon", "amber", "doppler", etc. (We do know that Doppler is the name of Amazon's fancy new headquarters in Seattle, but we're assuming that is coincidence and not related)