VarQUERYPARAMS < System

You are here: BACCHUS Wiki>System Web>Macros>VarQUERYPARAMS (revision 1) (raw view)

#VarQUERYPARAMS
---+++ QUERYPARAMS -- show paramaters to the query
   * Expands the parameters to the query that was used to display the page.
   * Syntax: =%<nop>QUERYPARAMS{...}%=
   * Supported parameters:
     | *Parameter:* | *Description:* | *Default:* |
     | =format="..."= | Format string for each entry | =$name=$value= |
     | =separator="..."= | Separator string | =separator="$n"= (newline) |
     | =encoding="entity"= <br /> =encoding="safe"= <br /> =encoding="html"= <br /> =encoding="quotes"= <br /> =encoding="url"= | Control how special characters are encoded. If this parameter is not given, "safe" encoding is performed which HTML entity encodes the characters ='"&lt;&gt;%=. <hr /> =entity=: Encode special characters into HTML entities, like a double quote into =&amp;#034;=. Does *not* encode =\n= or =\r=. <hr /> =safe=: Encode characters ='"&lt;&gt;%= into HTML entities. (this is the default) <hr /> =html=: As =type="entity"= except it also encodes =\n= and =\r= <hr /> =quotes=: Escape double quotes with backslashes (=\"=), does not change other characters <hr /> =url=: Encode special characters for URL parameter use, like a double quote into =%22= | =type="safe"= |
<ul><li>The following escape sequences are expanded in the format string:
| *Sequence:* | *Expands To:* |
| =$name= | Name of the parameter |
| =$value= | String value of the parameter. Multi-valued parameters will have a "row" for each value. |
%INCLUDE{FormatTokens}%</li></ul>
   * Example:<pre class="tml">
   %<nop>QUERYPARAMS{
     format="&lt;input type='hidden' name='$name' value='$value' encoding="entity" />"
   }%</pre>
<blockquote class="foswikiHelp">%X% *Security warning!*

Using QUERYPARAMS can easily be misused for cross-site scripting unless specific characters are entity encoded. By default QUERYPARAMS encodes the characters ='"&lt;&gt;%= into HTML entities (same as encoding="safe") which is relatively safe. The safest is to use encoding="entity". When passing QUERYPARAMS inside another macro always use double quotes ("") combined with using QUERYPARAMS with encoding="quote". For maximum security against cross-site scripting you are adviced to install the Foswiki:Extensions.SafeWikiPlugin.</blockquote>
   * See also [[VarQUERYSTRING][QUERYSTRING]], [[%IF{"'%INCLUDINGTOPIC%'='Macros'" then="#"}%VarURLPARAM][URLPARAM]]
<!--%JQREQUIRE{"chili"}%-->

Topic revision: r1 - 15 Feb 2011, ProjectContributor

System

Copyright &© by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding BACCHUS Wiki? Send feedback