QUERYPARAMS -- show paramaters to the query

  • Expands the parameters to the query that was used to display the page.
  • Syntax: %QUERYPARAMS{...}%
  • Supported parameters:
    Parameter: Description: Default:
    format="..." Format string for each entry $name=$value
    separator="..." Separator string separator="$n" (newline)
    encoding="entity"
    encoding="safe"
    encoding="html"
    encoding="quotes"
    encoding="url"
    Control how special characters are encoded. If this parameter is not given, "safe" encoding is performed which HTML entity encodes the characters '"<>%.
    entity: Encode special characters into HTML entities, like a double quote into &#034;. Does not encode \n or \r.
    safe: Encode characters '"<>% into HTML entities. (this is the default)
    html: As type="entity" except it also encodes \n and \r
    quotes: Escape double quotes with backslashes (\"), does not change other characters
    url: Encode special characters for URL parameter use, like a double quote into %22
    type="safe"
  • The following escape sequences are expanded in the format string:
    Sequence: Expands To:
    $name Name of the parameter
    $value String value of the parameter. Multi-valued parameters will have a "row" for each value.
    $n or $n() New line. Use $n() if followed by alphanumeric character, e.g. write Foo$n()Bar instead of Foo$nBar
    TIP Most macros accept parameter strings which are split over multiple lines. This is usually more readable than using $n tokens. If you are familiar with sectional includes, you might also consider nested sectional includes to hold the newline content outside of the parameter string entirely.
    $nop or $nop() Is a "no operation". This token gets removed; useful for nested search
    $quot Double quote (") (\" also works)
    $percent Percent sign (%) ($percnt also works)
    $dollar Dollar sign ($)
    $lt Less than sign (<)
    $gt Greater than sign (>)
    $amp Ampersand (&)
    $comma Comma (,)
  • Example:
       %QUERYPARAMS{
         format="<input type='hidden' name='$name' value='$value' encoding="entity" />"
       }%
ALERT! Security warning!

Using QUERYPARAMS can easily be misused for cross-site scripting unless specific characters are entity encoded. By default QUERYPARAMS encodes the characters '"<>% into HTML entities (same as encoding="safe") which is relatively safe. The safest is to use encoding="entity". When passing QUERYPARAMS inside another macro always use double quotes ("") combined with using QUERYPARAMS with encoding="quote". For maximum security against cross-site scripting you are adviced to install the Foswiki:Extensions.SafeWikiPlugin.
Topic revision: r1 - 09 Jan 2009, ProjectContributor
 

This site is powered by FoswikiCopyright © by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback