1 <a name="VarURLPARAM"></a>
3 ### <a name="URLPARAM{"name"} -- get value of"></a> URLPARAM\{"name"\} -- get value of a URL parameter
5 - Returns the value of a URL parameter.
6 - Syntax: `%URLPARAM{"name"}%`
7 - Supported parameters: <table border="1" cellpadding="0" cellspacing="0">
9 <th bgcolor="#99CCCC"><strong> Parameter: </strong></th>
10 <th bgcolor="#99CCCC"><strong> Description: </strong></th>
11 <th bgcolor="#99CCCC"><strong> Default: </strong></th>
14 <td><code>"name"</code></td>
15 <td> The name of a URL parameter </td>
19 <td><code>default="..."</code></td>
20 <td> Default value in case parameter is empty or missing </td>
21 <td> empty string </td>
24 <td><code>newline="<br />"</code></td>
25 <td> Convert newlines in textarea to other delimiters </td>
26 <td> no conversion </td>
29 <td><code>encode="off"</code></td>
30 <td> Turn off encoding. See important security note below </td>
31 <td> encode="safe" </td>
34 <td><code>encode="safe"</code></td>
35 <td> Encode special characters into HTML entities to avoid XSS exploits: <code>"<"</code>, <code>">"</code>, <code>"%"</code>, single quote (<code>'</code>) and double quote (<code>"</code>) </td>
36 <td> (this is the default) </td>
39 <td><code>encode="entity"</code></td>
40 <td> Encode special characters into HTML entities. See [[Main/VarENCODE]] for more details. </td>
41 <td> encode="safe" </td>
44 <td><code>encode="url"</code></td>
45 <td> Encode special characters for URL parameter use, like a double quote into <code>%22</code></td>
46 <td> encode="safe" </td>
49 <td><code>encode="quote"</code></td>
50 <td> Escape double quotes with backslashes (<code>\"</code>), does not change other characters; required when feeding URL parameters into other TWiki variables </td>
51 <td> encode="safe" </td>
54 <td><code>multiple="on"</code> %BR% <code>multiple="[[$item]]"</code></td>
55 <td> If set, gets all selected elements of a <code><select multiple="multiple"></code> tag. A format can be specified, with <code>$item</code> indicating the element, e.g. <code>multiple="Option: $item"</code></td>
56 <td> first element </td>
59 <td><code>separator=", "</code></td>
60 <td> Separator between multiple selections. Only relevant if multiple is specified </td>
61 <td><code>"\n"</code> (new line) </td>
64 - Example: `%URLPARAM{"skin"}%` returns `print` for a `.../view/%WEB%/%INCLUDINGTOPIC%?skin=print` URL
66 - **IMPORTANT:** There is a risk that this variable can be misused for [cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting) (XSS) if the encoding is turned off. The `encode="safe"` is the default, it provides a safe middle ground. The `encode="entity"` is more aggressive, but some TWiki applications might not work.
67 - URL parameters passed into HTML form fields must be entity [[ENCODEd|Main/VarENCODE]].%BR% Example: `<input type="text" name="address" value="%URLPARAM{ "address" encode="entity" }%" />`
68 - Double quotes in URL parameters must be escaped when passed into other TWiki variables.%BR% Example: `%SEARCH{ "%URLPARAM{ "search" encode="quotes" }%" noheader="on" }%`
69 - When used in a template topic, this variable will be expanded when the template is used to create a new topic. See [[TWikiTemplates#TemplateTopicsVars]] for details.
70 - Watch out for TWiki internal parameters, such as `rev`, `skin`, `template`, `topic`, `web`; they have a special meaning in TWiki. Common parameters and view script specific parameters are documented at [[TWikiScripts]].
71 - If you have `%URLPARAM{` in the value of a URL parameter, it will be modified to `%<nop>URLPARAM{`. This is to prevent an infinite loop during expansion.
72 - Related: [[ENCODE|Main/VarENCODE]], [[SEARCH|Main/VarSEARCH]], [[FormattedSearch]], [[QUERYSTRING|Main/VarQUERYSTRING]]