• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item6137: %URLPARAM% in HTML input form fields need to be entity encoded

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   n/a 4.2.4, 5.0.0

Edit Form Data

Reported By:
Applies To:
Current State:
Waiting For:
Target Release:
Released In:


A few XSS issues - a few topics needs %URLPARAM% to be used with proper syntax e.g. TWiki.ResetPassword, TWiki.WebSearch needs to be updated for handling URLPARAM encoding in a better way.

This is encoding issue on URL parameters.

Thanks to Marc Schoenefeld and Steve 'Ashcrow' Milner for raising this issue through emails.

Thanks Peter for figuring out the solution.

-- TWiki:Main/SopanShewale - 01 Dec 2008

All HTML input field values that have a URLPARAM need to be entity escaped as documented in TWiki:TWiki.VarURLPARAM and TWiki:TWiki.VarENCODE.


<input type="text" name="address" value="%URLPARAM{ "address" encode="entity" }%" />

-- TWiki:Main.PeterThoeny - 01 Dec 2008

Closing this bug after release

-- TWiki:Main.SopanShewale - 11 Dec 2008

Edit | Attach | Watch | Print version | History: r25 < r24 < r23 < r22 < r21 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r25 - 2008-12-11 - SopanShewale
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback