There’s no list of all the legal function calls you can make, though the wiki does cover the DOM element calls. I’ve put in a request to the Facebook team to document the whitelist they use to parse scripts, but for now you need to use trial and error to find out which are filtered out. Some are obvious, anything that would let you add arbitrary unchecked content to the page, like document.write or eval(), are never going to be supported.
I had to write a script blocker for SearchMash, so I know how tough it can be. I’m very impressed with the job they do, managing to identify variables within JS and put them in a private namespace by adding a prefix is very clever. I do wonder if anyone’s gone through the full Cross-Site Scripting Cheatsheet though, since there are some funky methods of concealing scripts within html, and even after a few weeks of work I wasn’t able to exclude all of them. I had to deal with arbitrary external pages, so maybe Facebook can avoid those issues by refusing to parse anything that looks even slightly odd, since most of the exploits rely on ill-formed markup that still works in many browsers.
One of the interesting restrictions they have is that scripts in profile boxes will only be run as the result of a user action. This is a nice balance between allowing the app to do interactive things on the profile, but keeping the app from annoying the user when they’re not interested in it.
I’ve already done a big post on Facebook’s MockAjax, but a lot of the same points apply to general FBJS development. You’ll want to get FireBug to help you debug, and expect to spend a lot of time looking at the actual source of the pages Facebook is giving you. Luckily, if you’re the developer they include the FBML before it was processed by their parser, in comments towards the top of the page. This can be a real life-saver when you’re trying to work out what went wrong.
Funhouse Photo User Count: 1124 total, 104 active. Another day of steady growth. I’m going to see if I can chart the statistics I’ve been gathering here, but I’m pretty sure it’s been almost linear since I launched.
Event Connector User Count: 9 total. Still need to research what they mean by ‘secret’ events, and how to exclude them, and then I can do another directory submission.