(no commit message)

[openafs-wiki.git] / TWiki / VarURLPARAM.mdwn

<a name="VarURLPARAM"></a>

### <a name="URLPARAM{&quot;name&quot;} -- get value of"></a> URLPARAM\{"name"\} -- get value of a URL parameter

- Returns the value of a URL parameter.
- Syntax: `%URLPARAM{"name"}%`
- Supported parameters: <table border="1" cellpadding="0" cellspacing="0">
  <tr>
    <th bgcolor="#99CCCC"><strong> Parameter: </strong></th>
    <th bgcolor="#99CCCC"><strong> Description: </strong></th>
    <th bgcolor="#99CCCC"><strong> Default: </strong></th>
  </tr>
  <tr>
    <td><code>"name"</code></td>
    <td> The name of a URL parameter </td>
    <td> required </td>
  </tr>
  <tr>
    <td><code>default="..."</code></td>
    <td> Default value in case parameter is empty or missing </td>
    <td> empty string </td>
  </tr>
  <tr>
    <td><code>newline="&lt;br /&gt;"</code></td>
    <td> Convert newlines in textarea to other delimiters </td>
    <td> no conversion </td>
  </tr>
  <tr>
    <td><code>encode="off"</code></td>
    <td> Turn off encoding. See important security note below </td>
    <td> encode="safe" </td>
  </tr>
  <tr>
    <td><code>encode="safe"</code></td>
    <td> Encode special characters into HTML entities to avoid XSS exploits: <code>"&lt;"</code>, <code>"&gt;"</code>, <code>"%"</code>, single quote (<code>'</code>) and double quote (<code>"</code>) </td>
    <td> (this is the default) </td>
  </tr>
  <tr>
    <td><code>encode="entity"</code></td>
    <td> Encode special characters into HTML entities. See [[Main/VarENCODE]] for more details. </td>
    <td> encode="safe" </td>
  </tr>
  <tr>
    <td><code>encode="url"</code></td>
    <td> Encode special characters for URL parameter use, like a double quote into <code>%22</code></td>
    <td> encode="safe" </td>
  </tr>
  <tr>
    <td><code>encode="quote"</code></td>
    <td> Escape double quotes with backslashes (<code>\"</code>), does not change other characters; required when feeding URL parameters into other TWiki variables </td>
    <td> encode="safe" </td>
  </tr>
  <tr>
    <td><code>multiple="on"</code> %BR% <code>multiple="[[$item]]"</code></td>
    <td> If set, gets all selected elements of a <code>&lt;select multiple="multiple"&gt;</code> tag. A format can be specified, with <code>$item</code> indicating the element, e.g. <code>multiple="Option: $item"</code></td>
    <td> first element </td>
  </tr>
  <tr>
    <td><code>separator=", "</code></td>
    <td> Separator between multiple selections. Only relevant if multiple is specified </td>
    <td><code>"\n"</code> (new line) </td>
  </tr>
</table>
- Example: `%URLPARAM{"skin"}%` returns `print` for a `.../view/%WEB%/%INCLUDINGTOPIC%?skin=print` URL
- **_%X% Notes:_**
  - **IMPORTANT:** There is a risk that this variable can be misused for [cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting) (XSS) if the encoding is turned off. The `encode="safe"` is the default, it provides a safe middle ground. The `encode="entity"` is more aggressive, but some TWiki applications might not work.
  - URL parameters passed into HTML form fields must be entity [[ENCODEd|Main/VarENCODE]].%BR% Example: `<input type="text" name="address" value="%URLPARAM{ "address" encode="entity" }%" />`
  - Double quotes in URL parameters must be escaped when passed into other TWiki variables.%BR% Example: `%SEARCH{ "%URLPARAM{ "search" encode="quotes" }%" noheader="on" }%`
  - When used in a template topic, this variable will be expanded when the template is used to create a new topic. See [[TWikiTemplates#TemplateTopicsVars]] for details.
  - Watch out for TWiki internal parameters, such as `rev`, `skin`, `template`, `topic`, `web`; they have a special meaning in TWiki. Common parameters and view script specific parameters are documented at [[TWikiScripts]].
  - If you have `%URLPARAM{` in the value of a URL parameter, it will be modified to `%<nop>URLPARAM{`. This is to prevent an infinite loop during expansion.
- Related: [[ENCODE|Main/VarENCODE]], [[SEARCH|Main/VarSEARCH]], [[FormattedSearch]], [[QUERYSTRING|Main/VarQUERYSTRING]]