%QUERYPARAMS{...}%
Parameter: | Description: | Default: |
---|---|---|
format="..." | Format string for each entry | $name=$value |
separator="..." | Separator string | separator="$n" (newline) |
encoding="entity" encoding="safe" encoding="html" encoding="quotes" encoding="url" | Control how special characters are encoded. If this parameter is not given, "safe" encoding is performed which HTML entity encodes the characters '"<>% . entity : Encode special characters into HTML entities, like a double quote into " . Does not encode \n or \r . safe : Encode characters '"<>% into HTML entities. (this is the default) html : As type="entity" except it also encodes \n and \r quotes : Escape double quotes with backslashes (\" ), does not change other characters url : Encode special characters for URL parameter use, like a double quote into %22 | type="safe" |
Sequence: | Expands To: |
---|---|
$name |
Name of the parameter |
$value |
String value of the parameter. Multi-valued parameters will have a "row" for each value. |
$n or $n() |
New line. Use $n() if followed by alphanumeric character, e.g. write Foo$n()Bar instead of Foo$nBar Most macros accept parameter strings which are split over multiple lines. This is usually more readable than using |
$nop or $nop() |
Is a "no operation". This token gets removed; useful for nested search |
$quot |
Double quote (" ) (\" also works) |
$percent |
Percent sign (% ) ($percnt also works) |
$dollar |
Dollar sign ($ ) |
$lt |
Less than sign (< ) |
$gt |
Greater than sign (> ) |
$amp |
Ampersand (& ) |
$comma |
Comma (, ) |
%QUERYPARAMS{ format="<input type='hidden' name='$name' value='$value' encoding="entity" />" }%
Security warning!
Using QUERYPARAMS can easily be misused for cross-site scripting unless specific characters are entity encoded. By default QUERYPARAMS encodes the characters '"<>%
into HTML entities (same as encoding="safe") which is relatively safe. The safest is to use encoding="entity". When passing QUERYPARAMS inside another macro always use double quotes ("") combined with using QUERYPARAMS with encoding="quote". For maximum security against cross-site scripting you are adviced to install the Foswiki:Extensions.SafeWikiPlugin.