Fossil SCM
Clarify the use of TH1 tainted strings in the Custom Skins document, and add "mainmenu" to the list of TH1 variables available in skin templates.
Commit
12036a362cdde66da10893ee95fe65ab2f9bfe54977b0ca71d65a5ec8817f9fb
Parent
2a02993a1ae6799…
1 file changed
+8
-1
+8
-1
| --- www/customskin.md | ||
| +++ www/customskin.md | ||
| @@ -429,11 +429,15 @@ | ||
| 429 | 429 | repository settings and the specific page being generated. |
| 430 | 430 | |
| 431 | 431 | Variables holding text that is loaded from "external, potentially untrusted" |
| 432 | 432 | sources (including the repository settings) are treated as [tainted strings] |
| 433 | 433 | (./th1.md#taint) and must be noted in the `$<NAME>` form, instead of `$NAME`, |
| 434 | -or they may trigger an error (see the linked document for details). | |
| 434 | +or they may trigger an error (see the linked document for details). The | |
| 435 | +`$<NAME>` form corresponds to the TH1 statement `puts [ htmlize "$NAME" ]`, | |
| 436 | +where the [htmlize](./th1.md#htmlize) function escapes the tainted string, | |
| 437 | +making it safe for output in HTML code. | |
| 438 | + | |
| 435 | 439 | |
| 436 | 440 | * **`project_name`** - The project_name variable is filled with the |
| 437 | 441 | name of the project as configured under the Admin/Configuration |
| 438 | 442 | menu. This is a [tainted string](./th1.md#taint) variable and must |
| 439 | 443 | be used as `$<project_name>`. |
| @@ -440,10 +444,13 @@ | ||
| 440 | 444 | |
| 441 | 445 | * **`project_description`** - The project_description variable is |
| 442 | 446 | filled with the description of the project as configured under |
| 443 | 447 | the Admin/Configuration menu. This is a [tainted string] |
| 444 | 448 | (./th1.md#taint) variable and must be used as `$<project_description>`. |
| 449 | + | |
| 450 | + * **`mainmenu`** - The mainmenu variable contains a TCL list with the main | |
| 451 | + menu entries. See the [mainmenu](/help/mainmenu) setting for details. | |
| 445 | 452 | |
| 446 | 453 | * **`title`** - The title variable holds the title of the page being |
| 447 | 454 | generated. |
| 448 | 455 | |
| 449 | 456 | The title variable is special in that it is deleted after |
| 450 | 457 |
| --- www/customskin.md | |
| +++ www/customskin.md | |
| @@ -429,11 +429,15 @@ | |
| 429 | repository settings and the specific page being generated. |
| 430 | |
| 431 | Variables holding text that is loaded from "external, potentially untrusted" |
| 432 | sources (including the repository settings) are treated as [tainted strings] |
| 433 | (./th1.md#taint) and must be noted in the `$<NAME>` form, instead of `$NAME`, |
| 434 | or they may trigger an error (see the linked document for details). |
| 435 | |
| 436 | * **`project_name`** - The project_name variable is filled with the |
| 437 | name of the project as configured under the Admin/Configuration |
| 438 | menu. This is a [tainted string](./th1.md#taint) variable and must |
| 439 | be used as `$<project_name>`. |
| @@ -440,10 +444,13 @@ | |
| 440 | |
| 441 | * **`project_description`** - The project_description variable is |
| 442 | filled with the description of the project as configured under |
| 443 | the Admin/Configuration menu. This is a [tainted string] |
| 444 | (./th1.md#taint) variable and must be used as `$<project_description>`. |
| 445 | |
| 446 | * **`title`** - The title variable holds the title of the page being |
| 447 | generated. |
| 448 | |
| 449 | The title variable is special in that it is deleted after |
| 450 |
| --- www/customskin.md | |
| +++ www/customskin.md | |
| @@ -429,11 +429,15 @@ | |
| 429 | repository settings and the specific page being generated. |
| 430 | |
| 431 | Variables holding text that is loaded from "external, potentially untrusted" |
| 432 | sources (including the repository settings) are treated as [tainted strings] |
| 433 | (./th1.md#taint) and must be noted in the `$<NAME>` form, instead of `$NAME`, |
| 434 | or they may trigger an error (see the linked document for details). The |
| 435 | `$<NAME>` form corresponds to the TH1 statement `puts [ htmlize "$NAME" ]`, |
| 436 | where the [htmlize](./th1.md#htmlize) function escapes the tainted string, |
| 437 | making it safe for output in HTML code. |
| 438 | |
| 439 | |
| 440 | * **`project_name`** - The project_name variable is filled with the |
| 441 | name of the project as configured under the Admin/Configuration |
| 442 | menu. This is a [tainted string](./th1.md#taint) variable and must |
| 443 | be used as `$<project_name>`. |
| @@ -440,10 +444,13 @@ | |
| 444 | |
| 445 | * **`project_description`** - The project_description variable is |
| 446 | filled with the description of the project as configured under |
| 447 | the Admin/Configuration menu. This is a [tainted string] |
| 448 | (./th1.md#taint) variable and must be used as `$<project_description>`. |
| 449 | |
| 450 | * **`mainmenu`** - The mainmenu variable contains a TCL list with the main |
| 451 | menu entries. See the [mainmenu](/help/mainmenu) setting for details. |
| 452 | |
| 453 | * **`title`** - The title variable holds the title of the page being |
| 454 | generated. |
| 455 | |
| 456 | The title variable is special in that it is deleted after |
| 457 |