URLPARAM -- get URL or HTTP POST parameter value

Returns the value of the named parameter in the URL or HTTP POST request.


Parameter: Description: Default:
"name" The name of a URL parameter required
default Default value, used if the parameter is not present ""
newline Convert newlines in textarea to other delimiters  
encode Control how special characters are encoded
"off" - No encoding. Avoid using this when possible. See the security warning below.
"entity" - Encode special characters into HTML entities. See ENCODE for more details.
"safe" - Encode characters '"<>% into HTML entities.
"url" - Encode special characters for URL parameter use, like a double quote into %22
"quote" - Escape double quotes with backslashes (\"), does not change other characters; required when feeding URL parameters into other macros.
You can combine several encodings together, and they will be applied in the order you specify e.g. encode="safe, quote"
multiple If set, gets all selected elements of a <select multiple="multiple"> tag. Can be set to a format string, with $item indicating the element, e.g. multiple="Option: $item" (also supports the standard format tokens) first element
separator Separator between multiple selections. Only relevant if multiple is specified $n (new line)


%URLPARAM{"skin"}% returns print for a .../view/System/VarURLPARAM?skin=print URL

HELP URL parameters passed into HTML form fields must be entity encoded.

HELP Double quotes in URL parameters must be escaped when passed into other macros.
Example: %SEARCH{ "%URLPARAM{ "search" encode="safe, quote" }%" noheader="on" }%

HELP Reverse the encoding when used in SEARCH.
Example: %SEARCH{ "%URLPARAM{ "search" encode="safe, quote"}%" decode="safe" noheader="on" }%. (It is not necessary to reverse quote encoding, otherwise decode= options should be specified in the reverse order from the encode= options.)

HELP When used in a template topic, this macro will be expanded when the template is used to create a new topic. See TemplateTopics#TemplateTopicsVars for details.

ALERT! Watch out for internal parameters, such as rev, skin, template, topic, web; they have a special meaning in Foswiki. Common parameters and view script specific parameters are documented at CommandAndCGIScripts.

ALERT! If you have %URLPARAM{ in the value of a URL parameter, it will be modified to %<nop>URLPARAM{. This is to prevent an infinite loop during expansion.

ALERT! Security warning! Using URLPARAM can easily be misused for cross-site scripting unless specific characters are entity encoded. By default URLPARAM encodes the characters '"<>% into HTML entities (same as encode="safe") which is relatively safe. The safest is to use encode="entity". When passing URLPARAM inside another macro always use double quotes ("") combined with using URLPARAM with encode="quote". For maximum security against cross-site scripting you are adviced to install the Foswiki:Extensions.SafeWikiPlugin.

Topic revision: r1 - 24 Sep 2015, ProjectContributor
This site is powered by FoswikiCopyright © by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback