You are here: CTSPedia>System Web>Macros>VarQUERYPARAMS (09 Jan 2009, ProjectContributor?)EditAttach
create new tag
, view all tags, tagging instructions

QUERYPARAMS -- show paramaters to the query

  • Expands the parameters to the query that was used to display the page.
  • Syntax: %QUERYPARAMS{...}%
  • Supported parameters:
    Parameter: Description: Default:
    format="..." Format string for each entry $name=$value
    separator="..." Separator string separator="$n" (newline)
    Control how special characters are encoded. If this parameter is not given, "safe" encoding is performed which HTML entity encodes the characters '"<>%.
    entity: Encode special characters into HTML entities, like a double quote into &#034;. Does not encode \n or \r.
    safe: Encode characters '"<>% into HTML entities. (this is the default)
    html: As type="entity" except it also encodes \n and \r
    quotes: Escape double quotes with backslashes (\"), does not change other characters
    url: Encode special characters for URL parameter use, like a double quote into %22
  • The following escape sequences are expanded in the format string:
    Sequence: Expands To:
    $name Name of the parameter
    $value String value of the parameter. Multi-valued parameters will have a "row" for each value.
    $n or $n() New line. Use $n() if followed by alphanumeric character, e.g. write Foo$n()Bar instead of Foo$nBar
    $nop or $nop() Is a "no operation". This token gets removed; useful for nested search
    $quot Double quote (") (\" also works)
    $percnt Percent sign (%)
    $dollar Dollar sign ($)
  • Example:
    • %QUERYPARAMS{format="<input type='hidden' name='$name' value='$value' encoding="entity" />"}%
  • ALERT! Security warning!
    Using QUERYPARAMS can easily be misused for cross-site scripting unless specific characters are entity encoded. By default QUERYPARAMS encodes the characters '"<>% into HTML entities (same as encoding="safe") which is relatively safe. The safest is to use encoding="entity". When passing QUERYPARAMS inside another macro always use double quotes ("") combined with using QUERYPARAMS with encoding="quote". For maximum security against cross-site scripting you are adviced to install the Foswiki:Extensions.SafeWikiPlugin.
Topic revision: r1 - 09 Jan 2009 - 06:00:00 - ProjectContributor?
This site is powered by FoswikiCopyright & by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding CTSPedia? Send feedback