Hi Edi,
----- Original message ----- From: "Edi Weitz" edi@agharta.de Date: Tue, 22 May 2007 08:35:58 +0200 Subject: Re: [cl-who-devel] escaping attributes question
On Tue, 22 May 2007 16:02:51 +1000, "Simon Cusack" scusack@fastmail.com.au wrote:
It seems like a sane thing to do to me
Not to me because you never know where the data you feed into the the macro comes from. It might as well be the case that it is already escaped. Turning escaping on by default with no means of turning it off seems very wrong to me.
Cheers, Edi.
Yeah not being able to control it for special cases is bad.
But you know that all values in the attribute position are always going to the html output stream and for it to be interpreted properly it should be escaped.
The decision to always emit to the html stream rather than requiring an esc, fmt or prn for all attribute values means that the values being emitted here are already getting special treatment from CL-WHO.
If the default position is a hands off one, then strictly speaking shouldn't all attribute values them be enclosed in (str ...), etal?
What if it was optional behaviour?
Regards, sim.