[cl-who-devel] escaping attributes question

Simon Cusack scusack at fastmail.com.au
Tue May 22 07:07:59 UTC 2007


Hi Edi,

>> ----- Original message -----
>> From: "Edi Weitz" <edi at agharta.de>
>> Date: Tue, 22 May 2007 08:35:58 +0200
>> Subject: Re: [cl-who-devel] escaping attributes question
>>  
>> On Tue, 22 May 2007 16:02:51 +1000, "Simon Cusack"
>> <scusack at fastmail.com.au> wrote:
>>  
>> > It seems like a sane thing to do to me
>>  
>> Not to me because you never know where the data you feed into the the
>> macro comes from.  It might as well be the case that it is already
>> escaped.  Turning escaping on by default with no means of turning it
>> off seems very wrong to me.

>> Cheers,
>> Edi.

Yeah not being able to control it for special cases is bad.

But you know that all values in the attribute position are always
going to the html output stream and for it to be interpreted properly
it should be escaped.  

The decision to always emit to the html stream rather than requiring
an esc, fmt or prn for all attribute values means that the values
being emitted here are already getting special treatment from CL-WHO.

If the default position is a hands off one, then strictly speaking
shouldn't all attribute values them be enclosed in (str ...), etal?

What if it was optional behaviour?

Regards, sim.




More information about the Cl-who-devel mailing list