The _st module includes utility, injection, and execution methods for manipulating the page environment within custom tags and templates. Use these methods to interact with the DOM, manage cookies, inject resources, and control function execution.
Methods overview
_st.util methods
Method | Description |
|---|---|
| Reads a value from a named cookie. |
| Sets a cookie by name, value, and optional TTL. |
| Erases a cookie. |
| Returns whether the client supports cookies. |
| Gets the first DOM element matching a selector. |
| Gets all DOM elements matching a selector. |
| Binds a function to a DOM event. |
| Gets a query parameter value from the current page URL. |
| Gets a query parameter value from the referrer URL. |
| Encodes an object to a JSON string. |
| Decodes a JSON string to an object. |
| Extends a target object with properties from a source object. |
| Generates a random UUID. |
| Removes accented characters from a string. |
| Wraps a function so it runs at most once. |
| Executes JavaScript in global scope. Deprecated. |
| Executes JavaScript in a sandboxed iframe scope. |
_st.inject methods
Method | Description |
|---|---|
| Injects a JavaScript file into the page. |
| Injects a CSS file into the page. |
| Injects inline CSS directly into the page. |
| Injects HTML into the page. |
| Injects a hidden iframe into the page. |
| Injects an image pixel into the page. |
_st.exec methods
Method | Description |
|---|---|
| Executes a function asynchronously. |
| Executes a function after a specified delay. |
| Executes a function when the DOM has fully loaded. |
| Executes a function when the DOM is ready. |
Method details: _st.util
_st.util.getCookie(name)
Reads a value from a named cookie.
Parameters:
name (string): The name of the cookie to read.
Returns: The cookie value, or undefined if the cookie doesn't exist.
_st.util.setCookie(name, value, ttlDays, customDomain)
Sets a cookie by name and value, with an optional TTL and domain. If you don't provide a TTL, the cookie expires when the browser is closed.
Parameters:
name (string): The name of the cookie to set.
value (string): The value to write.
ttlDays (integer, optional): How many days the cookie should be valid. Omit to create a session cookie.
customDomain (string, optional): The domain to set the cookie for. Defaults to the domain set in your configuration.
_st.util.eraseCookie(name, customDomain)
Erases a cookie by overwriting it with an empty value and a negative TTL.
Parameters:
name (string): The name of the cookie to erase.
customDomain (string, optional): The domain of the cookie to erase. Defaults to the configured cookie domain.
_st.util.hasCookieSupport()
Returns whether the client allows cookies to be set.
Returns: A boolean indicating whether cookies are supported.
_st.util.getElement(selector)
Gets the first DOM element matching the given selector. Uses document.querySelector() natively, which supports standard CSS selectors across all modern browsers. A legacy jQuery fallback exists but is no longer required for modern browser support.
Parameters:
selector (string): The CSS selector to match against.
Returns: The first matching DOM element, or undefined if none is found.
_st.util.getElements(selector)
Gets all DOM elements matching the given selector. Uses document.querySelectorAll() natively, which supports standard CSS selectors across all modern browsers. A legacy jQuery fallback exists but is no longer required for modern browser support.
Parameters:
selector (string): The CSS selector to match against.
Returns: An array of all matching DOM elements, or an empty array if none are found.
_st.util.onEvent(elem, eventType, eventHandle)
Binds a function to a DOM event on one or more elements.
Parameters:
elem (node or array of nodes): The element or elements to bind to.
eventType (string): The event type, for example
clickorchange.eventHandle (function): The function to run when the event fires.
Example:
_st.util.onEvent(element, 'click', function() { /* handler */ });_st.util.getUrlParam(paramName)
Gets the value of a query parameter from the current page URL.
Parameters:
paramName (string): The name of the parameter to read.
Returns: The parameter value, or an empty string if the parameter doesn't exist.
_st.util.getRefParam(paramName)
Gets the value of a query parameter from the referrer URL.
Parameters:
paramName (string): The name of the parameter to read.
Returns: The parameter value, or an empty string if the parameter doesn't exist.
_st.util.encodeJson(obj)
Encodes a JavaScript object to a JSON string.
Parameters:
obj (object): The object to encode.
Returns: The JSON representation of the object as a string.
_st.util.decodeJson(str)
Decodes a JSON string to a JavaScript object.
Parameters:
str (string): The JSON string to decode.
Returns: The parsed object.
_st.util.extend(target, src)
Extends a target object with properties from a source object. All properties from the source are added to the target, overwriting existing values. Properties with the value undefined in the source are not copied. The extension is shallow, not recursive.
Parameters:
target (object): The object to copy properties into.
src (object): The source object to copy properties from.
Returns: The target object with the source properties applied.
_st.util.randomUuid()
Generates a random UUID.
Returns: A random type-1 UUID string.
_st.util.removeDiacrites(string)
Note
This method name contains a deliberate spelling anomaly. It is
removeDiacrites, notremoveDiacritics. This reflects how the method is defined in the codebase. Using the corrected spelling will result in aTypeError.
Removes accented characters from a string by replacing them with their unaccented equivalents.
Parameters:
string (string): The input string.
Returns: A string with accented characters replaced.
_st.util.wrapInOnlyOnce(func)
Wraps a function so that the inner function runs at most once, regardless of how many times the wrapper is called.
Parameters:
func (function): The function to wrap.
Returns: A wrapped function that calls the inner function only on the first invocation.
_st.util.globalEval(src)
Note
This method is legacy and should not be used in new implementations unless strictly required by an existing tag template. Use
_st.util.sandboxEval()where possible.
Security warning
This method directly wraps
window.eval(), which executes arbitrary JavaScript strings in global scope. Passing dynamic or unsanitized input is a security vulnerability (CWE-94).In addition, browsers with a strict Content Security Policy (CSP) will block this method unless
unsafe-evalis explicitly enabled in the policy.
Executes JavaScript code in global scope.
Parameters:
src (string): The JavaScript code to execute.
_st.util.sandboxEval(src)
Security warning
This method executes arbitrary JavaScript strings within a hidden iframe. If the input source is dynamic or unsanitized, it is highly susceptible to Cross-Site Scripting (XSS). Only pass static or fully trusted strings.
Executes JavaScript code in a sandboxed iframe scope. The _st API is injected into the sandbox automatically.
Parameters:
src (string): The JavaScript code to execute.
Method details: _st.inject
_st.inject.script(src, options)
Injects a JavaScript file into the page.
Parameters:
src (string): The URL of the JavaScript file.
options (object, optional): Additional settings.
callback (function): A function to run after the script loads.
docWrite (boolean): Set to
trueif the script usesdocument.writeinternally. Defaults tofalse.selector (string): A CSS selector for the location where
document.writecontent should be inserted. Defaults tobody.id (string): An HTML ID to set on the script element.
attributes (object): Custom HTML attributes to set on the element, for example
{async: true, defer: false}.
Returns: The script element.
Example:
_st.inject.script('//example.com/file.js', { callback: function() { /* callback */ } });_st.inject.style(src, options)
Injects a CSS file into the page.
Parameters:
src (string): The URL of the CSS file.
options (object, optional): Additional settings.
id (string): An HTML ID to set on the style element.
attributes (object): Custom HTML attributes to set on the element, for example
{media: 'print'}.
Returns: The link element.
Example:
_st.inject.style('//example.com/file.css');_st.inject.css(source)
Injects inline CSS directly into the page.
Parameters:
source (string): The CSS code to inject.
Returns: The style element.
Example:
_st.inject.css('p.example { font-weight: bold; }');_st.inject.html(html, options)
Injects HTML into the page.
Parameters:
html (string): The HTML content to inject.
options (object, optional): Additional settings.
selector (string): A CSS selector for where the HTML should be inserted. Defaults to
body.
Returns: The parent element where the HTML was injected.
Example:
_st.inject.html('<h1>Example</h1>', { selector: 'body' });_st.inject.iframe(src, options)
Injects a hidden iframe into the page.
Parameters:
src (string): The URL to load in the iframe.
options (object, optional): Additional settings.
id (string): An HTML ID to set on the iframe element.
attributes (object): Custom HTML attributes to set on the element, for example
{title: 'My iframe'}. Setting theclassattribute through this method isn't supported.
Returns: The iframe element.
Example:
_st.inject.iframe('https://www.example.com/', { 'id': 'my-iframe', 'attributes': { 'title': 'Example' } });_st.inject.pixel(src, options)
Injects an image pixel into the page.
Parameters:
src (string): The URL of the pixel image.
options (object, optional): Additional settings.
callback (function): A function to run after the pixel loads.
Returns: The img element.
Example:
_st.inject.pixel('//example.com/pixel.png');Method details: _st.exec
_st.exec.async(function)
Executes a function asynchronously.
Parameters:
function (function): The function to execute.
Example:
_st.exec.async(function() { /* function */ });_st.exec.delayed(function, delay)
Executes a function after a specified delay.
Parameters:
function (function): The function to execute.
delay (integer): The delay in milliseconds.
Example:
_st.exec.delayed(function() { /* function */ }, 3000);_st.exec.onload(function)
Executes a function when the page has fully loaded (DOM load event).
Parameters:
function (function): The function to execute on page load.
Example:
_st.exec.onload(function() { /* function */ });_st.exec.onready(function)
Executes a function when the DOM is ready, before all resources have finished loading.
Parameters:
function (function): The function to execute on DOM ready.
Example:
_st.exec.onready(function() { /* function */ });