When using a URL in a panel which requests external XML, the following variables can be used in those URLs:

%qs_XXX%: Replaced by the matching querystring value (with name "XXX")
%user%: the user name in CHILI (with which the API is being used)
%doc_id%: the ID of the current document
%doc_userAssetDir%: the documents userAssetDirectory
%doc_userGroupAssetDir%: the documents userGroupAssetDirectory
%doc_documentAssetDir%: the documents assetDirectory

For example, the URL returned might be:

returnedURL = "http://localhost/CHILI/Admin/editor.aspx?doc=XXX&ws=YYY&userAssetDirectory=CHILIUSER"
String = "&userAssetDirectory="

The various asset directories can be configured in a variety of ways:

Manually, inside the CHILI document (under the "Document Settings" Panel, where they will also be visualized when populated through another means)
Through the ?Webservice Functions - SetAssetDirectories call (see ?API Key Settings)
By passing them to the editor URL as QueryString variables (see ?Embedding an Editor in your own portals):
- userAssetDirectory
- userGroupAssetDirectory
- documentAssetDirectory

The %qs_XXX% pattern can be used to pass your own data into the current Editor. This can include pretty much any relevant information which can be used in your dynamic pages (returning the XML) to influence the logic of the content to be returned. You can pass the additional querystring variables by simply appending them (with a URL encoded value, of course) to the URL you receive from ?Webservice Functions - DocumentGetEditorURL. For example, the URL returned might be:

string returnedURL = "http://localhost/CHILI/Admin/editor.aspx?doc=XXX&ws=YYY&MORE_HERE"; //HARDCODED FOR DEMO PURPOSES ONLY
string myTemplateID = "123";

To that, you can append your own variables:

returnedURL += "&MY_TEMPLATE_ID=" + HttpUtility.UrlEncode(myTemplateID);

And after that, you can use the (full) pattern in the various panel configurations as:

http://myserver/mypage.aspx?action=showimages&MY_FORWARDED_TEMPLATE_ID=%qs_MY_TEMPLATE_ID%

In that configuration, "%qs_MY_TEMPLATE_ID%" will be replaced by CHILI editor by the passed data ("123"), which will be available in your dynamic page as the "MY_FORWARDED_TEMPLATE_ID" querystring variable.

When sensitive information needs to be passed in this fashion (such as the user ID), you might of course be better of combining this with another mechanism, such as:

Passing along a session ID (or something similar) in the form of a globally unique ID
Passing the data (for both editor and dynamic URLs) over HTTPS
Combining a user or session ID together with an encrypted value of the original ID (and comparing that on intake with the same ID encrypted through the same mechanism)
...

NOTE: all external URLs are downloaded by the CHILI server, and never from CHILI Editor. This allows for additional security options. Your dynamic pages only need to be accessible from the CHILI Server, and can be blocked from the outside world (with the exception of image/snippet thumbnails, of course)

Browser not supported