Changeset 1161 for trunk/core/data/System/VarURLPARAM.txt
- Timestamp:
- 12/04/08 07:48:32 (3 years ago)
- File:
-
- 1 edited
-
trunk/core/data/System/VarURLPARAM.txt (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/core/data/System/VarURLPARAM.txt
r1022 r1161 10 10 | =default="..."= | Default value in case parameter is empty or missing | empty string | 11 11 | =newline="<br />"= | Convert newlines in textarea to other delimiters | no conversion | 12 | =encode="entity"= | Encode special characters into HTML entities. See [[%IF{"'%INCLUDINGTOPIC%'='Macros'" then="#"}%VarENCODE][ENCODE]] for more details. | no encoding | 13 | =encode="url"= | Encode special characters for URL parameter use, like a double quote into =%22= | no encoding | 14 | =encode="quote"= | Escape double quotes with backslashes (=\"=), does not change other characters; required when feeding URL parameters into other macros | no encoding | 12 | =encode="off"= <br /> =encode="entity"= <br /> =encode="safe"= <br /> =encode="url"= <br /> =encode="quote"= | Control how special characters are encoded <hr /> =off=: No encoding. Avoid using this when possible. See the security warning below. <hr /> =entity=: Encode special characters into HTML entities. See [[%IF{"'%INCLUDINGTOPIC%'='Macros'" then="#"}%VarENCODE][ENCODE]] for more details. <hr /> =safe=: Encode characters ='"<>= into HTML entities. <hr /> =url=: Encode special characters for URL parameter use, like a double quote into =%22= <hr /> =quote=: Escape double quotes with backslashes (=\"=), does not change other characters; required when feeding URL parameters into other macros. | "safe" | 15 13 | =multiple="on"= %BR% =multiple="[<nop>[$item]]"= | If set, gets all selected elements of a =<select multiple="multiple">= tag. A format can be specified, with =$item= indicating the element, e.g. =multiple="Option: $item"= | first element | 16 14 | =separator=", "= | Separator between multiple selections. Only relevant if multiple is specified | ="\n"= (new line) | … … 18 16 * __%X% Notes:__ 19 17 * URL parameters passed into HTML form fields must be entity [[%IF{"'%INCLUDINGTOPIC%'='Macros'" then="#"}%VarENCODE][ENCODEd]]. 20 * Double quotes in URL parameters must be escaped when passed into other macros.%BR% Example: =%<nop>SEARCH{ "%<nop>URLPARAM{ "search" encode="quote s" }%" noheader="on" }%=18 * Double quotes in URL parameters must be escaped when passed into other macros.%BR% Example: =%<nop>SEARCH{ "%<nop>URLPARAM{ "search" encode="quote" }%" noheader="on" }%= 21 19 * When used in a template topic, this macro will be expanded when the template is used to create a new topic. See TemplateTopics#TemplateTopicsVars for details. 22 20 * Watch out for internal parameters, such as =rev=, =skin=, =template=, =topic=, =web=; they have a special meaning in Foswiki. Common parameters and view script specific parameters are documented at CommandAndCGIScripts. 23 21 * If you have =%<nop>URLPARAM{= in the value of a URL parameter, it will be modified to =%<nop>URLPARAM{=. This is to prevent an infinite loop during expansion. 24 * There is a risk that this macro could be misused for cross-site scripting.22 * Security warning! Using URLPARAM can easily be misused for cross-site scripting unless specific characters are entity encoded. By default URLPARAM encodes the characters ='"<>= into HTML entities (same as encode="safe") which is relatively safe. The safest is to use encode="entity". When passing URLPARAM inside another macro always use double quotes ("") combined with using URLPARAM with encode="quote". For maximum security against cross-site scripting you are adviced to install the Foswiki:Extensions.SafeWikiPlugin. 25 23 * Related: [[%IF{"'%INCLUDINGTOPIC%'='Macros'" then="#"}%VarENCODE][ENCODE]], [[%IF{"'%INCLUDINGTOPIC%'='Macros'" then="#"}%VarSEARCH][SEARCH]], FormattedSearch, [[%IF{"'%INCLUDINGTOPIC%'='Macros'" then="#"}%VarQUERYSTRING][QUERYSTRING]]
Note: See TracChangeset
for help on using the changeset viewer.
