{qss:variable_name:delimiter}

Description

Returns a GET or POST parameter from the current request, HTML-encoded so it is safe to print into a page. qss is the safe twin of qs: it runs the same lookup and then passes the result through safe(), the same encoder that turns less-than, greater-than, ampersand and quotes into HTML entities. Use qss every time you echo a value that came from the URL or a submitted form into HTML - it stops a crafted parameter from injecting markup or script (a cross-site scripting attack). Reach for the raw qs only when the value is consumed by another command rather than written straight to the page. With no parameter name qss returns the whole query string (GET and POST together), encoded. Given a name it returns that one parameter; a name that is not present expands to an empty string. A bracketed posted name such as a form field array index is matched verbatim against the raw query string. When the parameter holds several values, a second delimiter argument joins them with that delimiter; without a delimiter the list is returned as JSON. qss is never cached - it is recomputed on every request - and its arguments are not whitespace-trimmed.

Parameters

variable_name optional default (empty - returns the whole query string)

Name of the GET or POST parameter to read, html-encoded on the way out. Omit it to get the whole query string (GET and POST together). A name that is not present in the request expands to an empty string. You may also pass a full bracketed posted name (a form field array index); it is matched verbatim against the raw query string and returned exactly as posted, html-encoded.

delimiter optional default (none - multiple values are returned as JSON)

Used only when the parameter holds several values (a repeated field). The values are joined with this string. If you leave it out, a multi-value parameter is returned as a JSON array instead of a joined string. It has no effect on a single-value parameter.

Examples

test[{qss:surname}]

Expected[]

Actual[]

When the named parameter is not in the request, qss expands to an empty string. Here the page is rendered without a surname parameter, so the brackets show nothing between them. This is the deterministic side of qss; the cases below depend on what the visitor actually sent.

virtual<a href="/cz/review?id={qss:revize}">open</a>

Expectedopen (for ?revize=42)

open (for ?revize=42)">Actualopen

Echo a parameter into the href of a link. Because qss encodes the value, a parameter that tried to break out of the attribute is neutralised. For ?revize=42 the link points at /cz/review?id=42. This mirrors real toolkit views that pass the current selection on to the next page.

test{ifset:{qss:filter}:filtering on:no filter chosen}

Expectedno filter chosen

Actualno filter chosen

A common real pattern: branch on whether a parameter was supplied. ifset emits its first text when the value is non-empty, otherwise the fallback. Rendered here without a filter parameter, qss is empty, so ifset returns no filter chosen. With ?filter=news it would print filtering on.

virtual{qss:surname}

ExpectedHavel (for ?surname=Havel)

Returns the value of the surname parameter, html-encoded. For the URL ending in ?surname=Havel it prints Havel. This is the everyday use: safely echo a single value that came from the URL or a form.

virtual{qss:tag:, }

Expectedred, green, blue (for ?tag=red&tag=green&tag=blue)

When the same parameter is sent more than once (a multi-select), the second argument joins the values. For ?tag=red&tag=green&tag=blue the delimiter comma-space gives red, green, blue. Without the delimiter the same input would come back as the JSON array of the three values.

virtual{ifeq:{qss:edit}:on:editing enabled:editing off}

Expectedediting enabled (for ?edit=on)

Actualediting off

Drive page state from a query parameter. For ?edit=on this prints editing enabled; any other value or no parameter prints editing off. A real toolkit view uses this idiom to toggle an in-place edit mode from a link.

virtual{qss}

Expectedsurname=Havel&lang=cz (for ?surname=Havel&lang=cz)

With no parameter name qss returns the entire query string - GET and POST parameters together - html-encoded. Useful for debugging or for carrying the current parameters over into a link.

virtual{qss:surname}

Expected<b>bad</b> (for ?surname=bad)

The point of qss over qs: the value is passed through safe(), so a parameter carrying markup comes out as harmless entities and cannot inject tags or script. For ?surname=<b>bad</b> qss prints the encoded text; qs would print the live tags. Always use qss when writing a parameter into HTML.

← All expressions