^untaint{code}
^untaint[transformation type]{code}
Operator untaint executes the code received and marks "needing transformation of a certain type" the tainted parts of the execution result (i.e. pieces that did not constitute part of the Parser code within the document body, either external or marked "tainted" by the taint operator). It does not concern parts subject to transformation of a certain type. If transformation type is unspecified, untaint marks the tainted pieces of the execution result as as-is.
Text is marked for transformation to be performed later, when the apply-taint operator is called, the document is outputted to browser, sent to SQL server, saved into a file, sent out through e-mail, etc. In some cases ^taint[transformation type][text]and ^untaint[transformation type]{text}produce the same result. It happens when the whole text is tainted (for example, $form:field). However, keep in mind that these operators have different default parameters, and applying both without transformation types to a tainted text will create absolutely different results.
When outputting to browser, Parser automatically applies type optimized-html, and the code looks like this: ^untaint[optimized-html]{typed code} It means that if you write $form:field(not using taint/untaint) within the body, then even if "?field=</html>"is called, the page shall not be "crippled" due to the closing tag </html>appearing too early, because the content of $form:fieldis tainted and will be subjected to automatic optimized-htmltransformation that replaces greater-than and less-than signs ('<' and '>') with entity references '<'and '>'. Example <form>
<input type="text" name="field" /> <input type="submit" /> </form>
Transformation type for untaint is specified inside square brackets. Here it is omitted, which means using the default parameter as-is. Note that while untaint with unspecified transformation type is equivalent to untaint with as-is transformation, taint has no transformation equivalent to taint with unspecified type.
One might wonder why we need the untaint operator. Although taint is usually enough, there are situations when using untaint is more rational.
Firstly, it sometimes helps to reduce the number of the taint operators in the code. For example, when outputting data to a multi-field form with spacing optimization disabled. In this case, you can apply ^untaint[html]{…} to the whole form instead of writing ^taint[html][…] for each textarea value.
Example Outputting user submitted data or data coming from a database (may contain tags) to a large edit for keeping spacing symbols<br /> ^if(def $form:title){
$data[$form:fields] }{ ^connect[$SQL.connect-string]{
$data[^table::sql{SELECT title, lead, body FROM news WHERE news_id = $id}]
} } ^untaint[html]{ <p>
<b>Heading</b><br />
<textarea name="title">$data.title</textarea>
</p> <p>
<b>Announcement:</b><br />
<textarea name="lead">$data.lead</textarea>
</p>
<p>
<b>News</b><br /> <textarea name="body">$data.body</textarea>
</p> }
Secondly, you can use it to output xml to browser (for instance, for ajax, RSS, SOAP, etc.). In this situation optimized-html is not appropriate, and you must enclose the code in ^untaint[optimized-xml]{…} to ensure correct output.