projectdiscovery · ehsandeep · May 20, 2025 · May 20, 2025
diff --git a/templates/protocols/headless.mdx b/templates/protocols/headless.mdx
@@ -31,20 +31,38 @@
 
 ### script
 
-Script runs a JS code on the current browser page. At the simplest level, you can just provide a `code` argument with the JS snippet you want to execute, and it will be run on the page. 
+Script runs a JavaScript code on the current browser page. At the simplest level, you can just provide a `code` argument with the JS snippet you want to execute, and it will be run on the page. 
 
 ```yaml
 action: script
 args:
-  code: alert(document.domain)
+  code: () => alert(document.domain)
 ```
 
+<Warning>
+  The <code>code</code> property strictly requires a function reference. Direct expressions or values are invalid and will not work. Always use a function.
+
+  **Incorrect:**
+  ```yaml
+  action: script
+  args:
+    code: alert(document.domain) # ❌ This is NOT a function reference
+  ```
+
+  **Correct:**
+  ```yaml
+  action: script
+  args:
+    code: () => alert(document.domain) # ✅ This is a function reference
+  ```
+</Warning>
+
 Suppose you want to run a matcher on a JS object to inspect its value. This type of data extraction use cases are also supported with nuclei headless. As an example, let's say the application sets an object called `window.random-object` with a value, and you want to match on that value.
 
 ```yaml
 - action: script
   args:
-    code: window.random-object
+    code: () => window.random-object
   name: script-name
 ...
 matchers:
@@ -61,7 +79,7 @@
 ```yaml
 - action: script
   args:
-    code: (function() { window.alert=function(){} })()
+    code: () => (function() { window.alert=function(){} })()
     hook: true
 ```
 
@@ -78,7 +96,7 @@
  xpath: /html/body/div[1]/div[3]/form/div[2]/div[1]/div[1]/div/div[2]/input
 ```

 Nuclei supports a variety of selector types, including but not limited to XPath, Regex, CSS, etc. For more information about selectors, see [here](#selectors).

 ### rightclick

@@ -160,7 +178,7 @@
  value: /root/test/payload.txt
 ```

 ### waitfcp

 WaitFCP waits for the first piece of meaningful content, such as text or an image, indicating that the page is becoming useful.

@@ -168,7 +186,7 @@
 action: waitfcp
 ```

 ### waitfmp

 WaitFMP waits for the First Meaningful Paint event, allowing users to proceed when content is visually ready.

@@ -178,13 +196,13 @@

 ### waitdom

 WaitDOM waits for the `DOMContentLoaded` event, indicating that the HTML has been loaded and parsed, but without waiting for stylesheets, images, and subframes to finish loading.

 ```yaml
 action: waitdom
 ```

 ### waitload

 WaitLoad waits the entire page, including dependent resources like stylesheets and images, has been fully loaded.

@@ -192,7 +210,7 @@
 action: waitload
 ```

 ### waitidle

 WaitIdle waits until the page completely stopped making network requests and reaches a network idle state, indicating that all resources have been loaded.

@@ -200,7 +218,7 @@
 action: waitidle
 ```

 ### waitstable

 WaitStable waits until the page is stable for *N* duration *(default is `1s`)*.

@@ -210,7 +228,7 @@
  duration: 5s
 ```

 ### waitdialog

 WaitDialog will wait for a JavaScript dialog (`alert`, `confirm`, `prompt`, or `onbeforeunload`) to be initialized and then automatically accept it.

@@ -224,18 +242,18 @@
 This action is useful for detecting triggered XSS payloads with a high level of accuracy and a low rate of false positives.

 <Note>
  The `name` property MUST be explicitly defined to ensure the output variable is available for later use by `matchers` or `extractors` wihtin your template. See the example [here](/templates/protocols/headless-examples#xss-detection).
 </Note>

 **Output variables:**

 * **NAME** _(boolean)_, indicator of JavaScript dialog triggered.
 * **NAME_type** _(string)_, dialog type (`alert`, `confirm`, `prompt`, or `onbeforeunload`).
 * **NAME_message** _(string)_, displayed message dialog.

 ### getresource

 GetResource returns the src attribute for an element.

 ```yaml
 action: getresource
@@ -249,7 +267,7 @@

 Extract extracts either the Text for an HTML Node, or an attribute as specified by the user.

 The below code will extract the Text for the given XPath Selector Element, which can then also be matched upon by name `extracted-value` with matchers and extractors.

 ```yaml
 action: extract
@@ -271,7 +289,7 @@
  attribute: href
 ```

 ### setmethod

 SetMethod overrides the method for the request. 

@@ -282,7 +300,7 @@
  method: DELETE
 ```

 ### addheader

 AddHeader adds a header to the requests / responses. This does not overwrite any pre-existing headers.

@@ -294,7 +312,7 @@
  value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
 ```

 ### setheader

 SetHeader sets a header in the requests / responses.

@@ -317,7 +335,7 @@
  key: Content-Security-Policy
 ```

 ### setbody

 SetBody sets the body for a request / response. 

@@ -328,7 +346,7 @@
  body: '{"success":"ok"}'
 ```

 ### waitevent

 WaitEvent waits for an event to trigger on the page.

@@ -379,14 +397,14 @@
 | Selector             | Description                                         |
 |----------------------|-----------------------------------------------------|
 | `r` / `regex`        | Element matches CSS Selector and Text Matches Regex |
 | `x` / `xpath`        | Element matches XPath selector                      |
 | `js`                 | Return elements from a JS function                  |
 | `search`             | Search for a query (can be text, XPATH, CSS)        |
 | `selector` (default) | Element matches CSS Selector                        |

 ## Matchers / Extractor Parts

 Valid `part` values supported by **Headless** protocol for Matchers / Extractor are - 

 | Value             | Description                     |
 |-------------------|---------------------------------|