University of Natural Resources and Life Sciences (BOKU)
Institute of Computational Biology

QUERYPARAMS -- show parameters to the query

Expands the parameters to the query that was used to display the page.

Parameters

Parameter: Description: Default:
format Format string for each entry $name=$value
separator Separator string $n (newline)
encoding Control how special characters are encoded. If this parameter is not given, safe encoding is performed which HTML entity encodes the characters '"<>%.
entity - Encode special characters into HTML entities, like a double quote into &#034;. Does not encode \n or \r.
safe - Encode characters '"<>% into HTML entities. (this is the default)
html - As type="entity" except it also encodes \n and \r
quotes - Escape double quotes with backslashes (\"), does not change other characters
url - Encode special characters for URL parameter use, like a double quote into %22
safe
The following tokens are expanded in the format string:
Token Expands To
$name Name of the parameter
$value String value of the parameter. Multi-valued parameters will have a "row" for each value.
In addition the standard format tokens are also expanded.

Examples

   %QUERYPARAMS{
     format="<input type='hidden' name='$name' value='$value' encoding="entity" />"
   }%
ALERT! Security warning!

Using QUERYPARAMS can easily be misused for cross-site scripting unless specific characters are entity encoded. By default QUERYPARAMS encodes the characters '"<>% into HTML entities (same as encoding="safe") which is relatively safe. The safest is to use encoding="entity". When passing QUERYPARAMS inside another macro always use double quotes ("") combined with using QUERYPARAMS with encoding="quote". For maximum security against cross-site scripting you are advised to install the Foswiki:Extensions.SafeWikiPlugin.

QUERYSTRING, URLPARAM
26 Dec 2024 - 12:24 Foswiki v2.0.2