Item2144: Document Foswiki::Func::getRequestObject()

foswiki · Dec 30, 2014 · 0542c1c · 0542c1c
1 parent 989f31c
commit 0542c1c
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/core/lib/Foswiki/Func.pm b/core/lib/Foswiki/Func.pm
@@ -353,6 +353,18 @@ Note that this method replaces =getCgiQuery= (which is a synonym for this
 method). Code that is expected to run with pre-1.1 versions of Foswiki
 can continue to call =getCgiQuery= for as long as necessary.
 
+*Caution:* Direct use of the CGI parameters can introduce security vulnerabilities.
+Any parameters from the URL should be carefully validated, and encoded for safety
+before displaying the data back to the user.
+
+Example:
+<verbatim>
+   my $query    = Foswiki::Func::getRequestObject();
+   my @cgiparms = $query->param();               # Get list of all URL Parameter names
+   my $parm1    = $query->param('parm1');        # Get a scalar value (Returns 1st value if multiple valued)
+   my @multi    = $query->multi_param('parm2');  # Get multi-valued parameter
+</verbatim>
+
 *Since:* 31 Mar 2009
 
 =cut