Gossamer Forum
Home : Products : Gossamer Forum : Discussion :

Upgrade to 1.2.0: query string values no longer being carried.

Quote Reply
Upgrade to 1.2.0: query string values no longer being carried.
When using 1.1.8 it was possible to carry variables into a template, e.g...

Code:
http://forum/index.cgi?do=message_list;box=out;

...and the value of box could be used with <%box%>, however with 1.2.0 <%box%> errors as an unknown tag


moog
-- I've spent most of my money on beer and women... the rest I just wasted.
Quote Reply
Re: [moog] Upgrade to 1.2.0: query string values no longer being carried. In reply to
I think this may be a security improvement and allowing parameters to appear in templates is probably not a good idea (as then output can be altered by users).
Quote Reply
Re: [Paul] Upgrade to 1.2.0: query string values no longer being carried. In reply to
Thanks Paul, I can now see the possible security implications... Is there a way of un-restricting a variable for a particular do?

I'm using...
Code:
<%if box eq "out"%>
HTML
<%else%>
HTML
<%endif%>

..so if a user was to mess around, the worst case scenario would result in the <%else%> option...


moog
-- I've spent most of my money on beer and women... the rest I just wasted.
Quote Reply
Re: [moog] Upgrade to 1.2.0: query string values no longer being carried. In reply to
Gossamer Forum has never passed CGI variables through to the templates. If you do want to get them, you can use a global such as:

sub { return scalar $IN->param(shift) }

then, in the template:

<%set box = template_var_name("box")%>

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com