[cl-who-devel] ESC inside FMT doesn't get expanded
Osei Poku
osei.poku at gmail.com
Fri May 2 13:36:05 UTC 2008
On May 2, 2008, at 5:10 AM, Leslie P. Polzer wrote:
>>
>> Why do you need to do that?
>>
>> You don't need to escape after that point. You can just directly put
>> the string (or any other lisp expression) as the argument to fmt.
>
> Assume a malicious string ("<html>" in this case):
>
> WHO[8]> (with-html-output (*standard-output*) (fmt "<~A>" "<html>"))
> <<html>>
> NIL
> WHO[9]> (with-html-output (*standard-output*) (fmt "<~A>" (escape-
> string "<html>")))
> <<html>>
> NIL
>
Why don't you use escape-string directly instead then? Like in your
example. Why use esc at all?
More information about the Cl-who-devel
mailing list