Difference: VarURLPARAM (5 vs. 6)

Revision 62009-02-23 - TWikiContributor

Line: 1 to 1
 
META TOPICPARENT name="TWikiVariables"

URLPARAM{"name"} -- get value of a URL parameter

Line: 9 to 9
 
"name" The name of a URL parameter required
default="..." Default value in case parameter is empty or missing empty string
newline="<br />" Convert newlines in textarea to other delimiters no conversion
Changed:
<
<
encode="entity" Encode special characters into HTML entities. See ENCODE for more details. no encoding
encode="url" Encode special characters for URL parameter use, like a double quote into %22 no encoding
encode="quote" Escape double quotes with backslashes (\"), does not change other characters; required when feeding URL parameters into other TWiki variables no encoding
>
>
encode="off" Turn off encoding. See important security note below encode="safe"
encode="safe" Encode special characters into HTML entities to avoid XSS exploits: "<", ">", "%", single quote (') and double quote (") (this is the default)
encode="entity" Encode special characters into HTML entities. See ENCODE for more details. encode="safe"
encode="url" Encode special characters for URL parameter use, like a double quote into %22 encode="safe"
encode="quote" Escape double quotes with backslashes (\"), does not change other characters; required when feeding URL parameters into other TWiki variables encode="safe"
 
multiple="on"
multiple="[[$item]]"
If set, gets all selected elements of a <select multiple="multiple"> tag. A format can be specified, with $item indicating the element, e.g. multiple="Option: $item" first element
separator=", " Separator between multiple selections. Only relevant if multiple is specified "\n" (new line)
  • Example: %URLPARAM{"skin"}% returns print for a .../view/TWiki/VarURLPARAM?skin=print URL
  • ALERT! Notes:
Changed:
<
<
    • IMPORTANT: There is a risk that this variable could be misused for cross-site scripting (XSS).
    • URL parameters passed into HTML form fields must be entity ENCODEd.
      Example: <input type="text" name="address" value="%URLPARAM{ "address" encode="entity" }%" />
>
>
    • IMPORTANT: There is a risk that this variable can be misused for cross-site scripting (XSS) if the encoding is turned off. The encode="safe" is the default, it provides a safe middle ground. The encode="entity" is more aggressive, but some TWiki applications might not work.
    • URL parameters passed into HTML form fields must be entity ENCODEd.
      Example: <input type="text" name="address" value="%URLPARAM{ "address" encode="entity" }%" />
 
    • Double quotes in URL parameters must be escaped when passed into other TWiki variables.
      Example: %SEARCH{ "%URLPARAM{ "search" encode="quotes" }%" noheader="on" }%
    • When used in a template topic, this variable will be expanded when the template is used to create a new topic. See TWikiTemplates#TemplateTopicsVars for details.
    • Watch out for TWiki internal parameters, such as rev, skin, template, topic, web; they have a special meaning in TWiki. Common parameters and view script specific parameters are documented at TWikiScripts.
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
Note: Please contribute updates to this topic on TWiki.org at TWiki:TWiki.VarURLPARAM