-
Notifications
You must be signed in to change notification settings - Fork 3
/
realvalue.widget
54 lines (43 loc) · 1.45 KB
/
realvalue.widget
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
__NAME__ purpose
display raw, unencoded value, providing no option to change it
__END__
__NAME__ synopsis
__END__
__NAME__ description
The &widget-__FILENAME__; widget simply displays &glos-variable;s
from the &glos-value;s space and does not create any &glos-HTML;
form element that would allow changing them.
</para><para>
It is similar to &widget-value;, but more dangerous. It does not
perform any encoding on the value before display, allowing for
possible untrusted data (including both &glos-HTML; and &glos-ITL;!)
to be injected into the &glos-HTML; stream.
</para><para>
Use this widget with caution and always only on data you absolutely
trust.
__END__
__NAME__ notes
The variable value is not encoded before display; to
enabled recommended processing before display,
use widget &widget-value;.
__END__
__NAME__ online: Basic value initialization and display
<programlisting>
[value name=widget_testrealvalue set="Test Widget Value" hide=1]
[widget name=widget_testrealvalue type=realvalue]
</programlisting>
__END__
__NAME__ online: Basic value initialization and display, showing arbitrary HTML and ITL code insertion
<programlisting>
[set widget_testrealvalue_input]
Test <i>Widget<i> <b>Value</b>. The time is: [time]
[/set]
[value name=widget_testrealvalue
set="[scratch widget_testrealvalue_input]"
hide=1]
[widget name=widget_testrealvalue type=realvalue]
</programlisting>
__END__
__NAME__ see also
text, textarea, value
__END__