The ::safe::loadTk command initializes the required data structures in the named safe interpreter and then loads Tk into it. The interpreter must have been created with ::safe::interpCreate or have been initialized with ::safe::interpInit. The command returns the name of the safe interpreter. If -use is specified, the window identified by the specified system dependent identifier windowId is used to contain the “.” window of the safe interpreter; it can be any valid id, eventually referencing a window belonging to another application. As a convenience, if the window you plan to use is a Tk Window of the application you can use the window name (e.g. .x.y) instead of its window Id ([winfo id .x.y]). When -use is not specified, a new toplevel window is created for the “.” window of the safe interpreter. On X11 if you want the embedded window to use another display than the default one, specify it with -display. See the SECURITY ISSUES section below for implementation details.
Please read the safe manual page for Tcl to learn about the basic security considerations for Safe Tcl.
::safe::loadTk adds the value of tk_library taken from the master interpreter to the virtual access path of the safe interpreter so that auto-loading will work in the safe interpreter.
Tk initialization is now safe with respect to not trusting the slave's state for startup. ::safe::loadTk registers the slave's name so when the Tk initialization (Tk_SafeInit) is called and in turn calls the master's ::safe::InitTk it will return the desired argv equivalent (-use windowId, correct -display, etc.)
When -use is not used, the new toplevel created is specially decorated so the user is always aware that the user interface presented comes from a potentially unsafe code and can easily delete the corresponding interpreter.
On X11, conflicting -use and -display are likely to generate a fatal X error.