Default value in case parameter is empty or missing
empty string
newline="<br />"
Convert newlines in textarea to other delimiters
no conversion
Changed:
< <
encode="entity"
Encode special characters into HTML entities. See ENCODE for more details.
no encoding
encode="url"
Encode special characters for URL parameter use, like a double quote into %22
no encoding
encode="quote"
Escape double quotes with backslashes (\"), does not change other characters; required when feeding URL parameters into other TWiki variables
no encoding
> >
encode="off"
Turn off encoding. See important security note below
encode="safe"
encode="safe"
Encode special characters into HTML entities to avoid XSS exploits: "<", ">", "%", single quote (') and double quote (")
(this is the default)
encode="entity"
Encode special characters into HTML entities. See ENCODE for more details.
encode="safe"
encode="url"
Encode special characters for URL parameter use, like a double quote into %22
encode="safe"
encode="quote"
Escape double quotes with backslashes (\"), does not change other characters; required when feeding URL parameters into other TWiki variables
encode="safe"
multiple="on" multiple="[[$item]]"
If set, gets all selected elements of a <select multiple="multiple"> tag. A format can be specified, with $item indicating the element, e.g. multiple="Option: $item"
first element
separator=", "
Separator between multiple selections. Only relevant if multiple is specified
"\n" (new line)
Example: %URLPARAM{"skin"}% returns print for a .../view/TWiki/VarURLPARAM?skin=print URL
Notes:
Changed:
< <
IMPORTANT: There is a risk that this variable could be misused for cross-site scripting (XSS).
URL parameters passed into HTML form fields must be entity ENCODEd. Example: <input type="text" name="address" value="%URLPARAM{ "address" encode="entity" }%" />
> >
IMPORTANT: There is a risk that this variable can be misused for cross-site scripting (XSS) if the encoding is turned off. The encode="safe" is the default, it provides a safe middle ground. The encode="entity" is more aggressive, but some TWiki applications might not work.
URL parameters passed into HTML form fields must be entity ENCODEd. Example: <input type="text" name="address" value="%URLPARAM{ "address" encode="entity" }%" />
Double quotes in URL parameters must be escaped when passed into other TWiki variables. Example: %SEARCH{ "%URLPARAM{ "search" encode="quotes" }%" noheader="on" }%
When used in a template topic, this variable will be expanded when the template is used to create a new topic. See TWikiTemplates#TemplateTopicsVars for details.
Watch out for TWiki internal parameters, such as rev, skin, template, topic, web; they have a special meaning in TWiki. Common parameters and view script specific parameters are documented at TWikiScripts.