Parameter: |
Description: |
Default: |
"name" |
The name of a URL parameter |
required |
default="..." |
Default value in case parameter is empty or missing |
empty string |
newline="<br />" |
Convert newlines in textarea to other delimiters |
no conversion |
encode="off" |
Turn off encoding. See important security note below |
encode="safe" |
encode="safe" |
Encode special characters into HTML entities to avoid XSS exploits: "<" , ">" , "%" , single quote (' ) and double quote (" ) |
(this is the default) |
encode="entity" |
Encode special characters into HTML entities. See [[Main/VarENCODE]] for more details. |
encode="safe" |
encode="url" |
Encode special characters for URL parameter use, like a double quote into %22 |
encode="safe" |
encode="quote" |
Escape double quotes with backslashes (\" ), does not change other characters; required when feeding URL parameters into other TWiki variables |
encode="safe" |
multiple="on" %BR% multiple="[[$item]]" |
If set, gets all selected elements of a <select multiple="multiple"> tag. A format can be specified, with $item indicating the element, e.g. multiple="Option: $item" |
first element |
separator=", " |
Separator between multiple selections. Only relevant if multiple is specified |
"\n" (new line) |
- Example: `%URLPARAM{"skin"}%` returns `print` for a `.../view/%WEB%/%INCLUDINGTOPIC%?skin=print` URL
- **_%X% Notes:_**
- **IMPORTANT:** There is a risk that this variable can be misused for [cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting) (XSS) if the encoding is turned off. The `encode="safe"` is the default, it provides a safe middle ground. The `encode="entity"` is more aggressive, but some TWiki applications might not work.
- URL parameters passed into HTML form fields must be entity [[ENCODEd|Main/VarENCODE]].%BR% Example: `