On Thu, 1 May 2008 22:29:35 +0200 (CEST), "Leslie P. Polzer" <leslie.polzer@gmx.net> wrote:

Here's the case:

[4]> (in-package :cl-who) #<PACKAGE CL-WHO> WHO[5]> (with-html-output (*standard-output*) (:p (fmt "~A" (esc "foo")))) <p> *** - EVAL: undefined function ESC

Works as described: http://weitz.de/cl-who/#syntax The macro sees (fmt "~A" (esc "foo")) and substitutes (format s "~A" (esc "foo")) for it. At this point, CL-WHO stops expanding, and ESC is treated like any other symbol. Try this: http://weitz.de/cl-who/#escape-string

On May 2, 2008, at 2:29 AM, Leslie P. Polzer wrote:

...

At this point, CL-WHO stops expanding, and ESC is treated like any other symbol.

The point for me is, why does it stop expanding? It would be nice to have the ESC shortcut in this case.

Why do you need to do that? You don't need to escape after that point. You can just directly put the string (or any other lisp expression) as the argument to fmt. Osei

On May 2, 2008, at 5:10 AM, Leslie P. Polzer wrote:

...

Why do you need to do that?

You don't need to escape after that point. You can just directly put the string (or any other lisp expression) as the argument to fmt.

Assume a malicious string ("<html>" in this case):

WHO[8]> (with-html-output (*standard-output*) (fmt "<~A>" "<html>")) <<html>> NIL WHO[9]> (with-html-output (*standard-output*) (fmt "<~A>" (escape- string "<html>"))) <<html>> NIL

Why don't you use escape-string directly instead then? Like in your example. Why use esc at all?

On Fri, 2 May 2008 16:06:25 +0200 (CEST), "Leslie P. Polzer" <leslie.polzer@gmx.net> wrote:

It's shorter. When you use this function a lot (and I have to) the lines tend to get long.

(defun esc (string) (escape-string string)) Or use Arc...