Discussion:
Bug report: ESC applied to attribute values produces spurious output
Ron Garret
2013-04-30 18:39:43 UTC
Permalink
? (with-html-output-to-string (s) ((:a :href (esc "XXX")) (esc "YYY")))
"<aXXX href='XXX'>YYY</a>"

My actual use case is:

(:a :onclick (esc "f('str')"))

This is CL-WHO 1.1.1 acquired through quicklisp.

rg
Stas Boukarev
2013-04-30 18:47:53 UTC
Permalink
Post by Ron Garret
? (with-html-output-to-string (s) ((:a :href (esc "XXX")) (esc "YYY")))
"<aXXX href='XXX'>YYY</a>"
(:a :onclick (esc "f('str')"))
This is CL-WHO 1.1.1 acquired through quicklisp.
That's not a bug, the attributes don't need STR or ESC.
(with-html-output-to-string (s) ((:a :href (escape-string "XXX")) (esc "YYY")))
--
With best regards, Stas.
Ron Garret
2013-04-30 19:02:36 UTC
Permalink
Post by Stas Boukarev
Post by Ron Garret
? (with-html-output-to-string (s) ((:a :href (esc "XXX")) (esc "YYY")))
"<aXXX href='XXX'>YYY</a>"
(:a :onclick (esc "f('str')"))
This is CL-WHO 1.1.1 acquired through quicklisp.
That's not a bug, the attributes don't need STR or ESC.
(with-html-output-to-string (s) ((:a :href (escape-string "XXX")) (esc "YYY")))
Well, they need something if you want to embed a single-quoted string inside them:

? (with-html-output-to-string (s) ((:input :type :button :onclick "alert('foo')")))
"<input type='BUTTON' onclick='alert('foo')' />"

rg
Jens Teich
2013-04-30 19:13:28 UTC
Permalink
Post by Ron Garret
Post by Stas Boukarev
Post by Ron Garret
? (with-html-output-to-string (s) ((:a :href (esc "XXX")) (esc "YYY")))
"<aXXX href='XXX'>YYY</a>"
(:a :onclick (esc "f('str')"))
This is CL-WHO 1.1.1 acquired through quicklisp.
That's not a bug, the attributes don't need STR or ESC.
(with-html-output-to-string (s) ((:a :href (escape-string "XXX")) (esc "YYY")))
? (with-html-output-to-string (s) ((:input :type :button :onclick "alert('foo')")))
"<input type='BUTTON' onclick='alert('foo')' />"
You need parenscript

:onclick (ps (alert ...))

~jens
Ron Garret
2013-04-30 19:19:25 UTC
Permalink
Post by Jens Teich
Post by Ron Garret
Post by Stas Boukarev
Post by Ron Garret
? (with-html-output-to-string (s) ((:a :href (esc "XXX")) (esc "YYY")))
"<aXXX href='XXX'>YYY</a>"
(:a :onclick (esc "f('str')"))
This is CL-WHO 1.1.1 acquired through quicklisp.
That's not a bug, the attributes don't need STR or ESC.
(with-html-output-to-string (s) ((:a :href (escape-string "XXX")) (esc "YYY")))
? (with-html-output-to-string (s) ((:input :type :button :onclick "alert('foo')")))
"<input type='BUTTON' onclick='alert('foo')' />"
You need parenscript
:onclick (ps (alert ...))
No, that won't help. PS just produces the same troublesome string:

? (parenscript::ps (alert "foo"))
"alert('foo');"
? (with-html-output-to-string (s) ((:input :type :button :onclick (parenscript::ps (alert "foo")))))
"<input type='BUTTON' onclick='alert('foo');' />"
Jens Teich
2013-04-30 19:33:50 UTC
Permalink
Post by Ron Garret
Post by Jens Teich
Post by Ron Garret
Post by Stas Boukarev
Post by Ron Garret
? (with-html-output-to-string (s) ((:a :href (esc "XXX")) (esc "YYY")))
"<aXXX href='XXX'>YYY</a>"
(:a :onclick (esc "f('str')"))
This is CL-WHO 1.1.1 acquired through quicklisp.
That's not a bug, the attributes don't need STR or ESC.
(with-html-output-to-string (s) ((:a :href (escape-string "XXX")) (esc "YYY")))
? (with-html-output-to-string (s) ((:input :type :button :onclick "alert('foo')")))
"<input type='BUTTON' onclick='alert('foo')' />"
You need parenscript
:onclick (ps (alert ...))
? (parenscript::ps (alert "foo"))
"alert('foo');"
? (with-html-output-to-string (s) ((:input :type :button :onclick (parenscript::ps (alert "foo")))))
"<input type='BUTTON' onclick='alert('foo');' />"
(setq ps:*js-string-delimiter* #\" )
Ron Garret
2013-04-30 19:46:46 UTC
Permalink
Post by Jens Teich
Post by Ron Garret
Post by Jens Teich
Post by Ron Garret
Post by Stas Boukarev
Post by Ron Garret
? (with-html-output-to-string (s) ((:a :href (esc "XXX")) (esc "YYY")))
"<aXXX href='XXX'>YYY</a>"
(:a :onclick (esc "f('str')"))
This is CL-WHO 1.1.1 acquired through quicklisp.
That's not a bug, the attributes don't need STR or ESC.
(with-html-output-to-string (s) ((:a :href (escape-string "XXX")) (esc "YYY")))
? (with-html-output-to-string (s) ((:input :type :button :onclick "alert('foo')")))
"<input type='BUTTON' onclick='alert('foo')' />"
You need parenscript
:onclick (ps (alert ...))
? (parenscript::ps (alert "foo"))
"alert('foo');"
? (with-html-output-to-string (s) ((:input :type :button :onclick (parenscript::ps (alert "foo")))))
"<input type='BUTTON' onclick='alert('foo');' />"
(setq ps:*js-string-delimiter* #\" )
Ooh! So close! Turns out this exposes a bug in parenscript:

? (setq ps:*js-string-delimiter* #\" )
#\"
? (princ (ps:ps (alert "'\"")))
alert("\'"");
"alert(\"\\'\"\");"

But I guess this is close enough for my current needs. Thanks!

rg
t***@wemba.edu.pl
2013-04-30 19:51:43 UTC
Permalink
Post by Ron Garret
Post by Jens Teich
Post by Ron Garret
Post by Jens Teich
Post by Ron Garret
Post by Stas Boukarev
Post by Ron Garret
? (with-html-output-to-string (s) ((:a :href (esc "XXX")) (esc "YYY")))
"<aXXX href='XXX'>YYY</a>"
(:a :onclick (esc "f('str')"))
This is CL-WHO 1.1.1 acquired through quicklisp.
That's not a bug, the attributes don't need STR or ESC.
(with-html-output-to-string (s) ((:a :href (escape-string "XXX")) (esc "YYY")))
? (with-html-output-to-string (s) ((:input :type :button :onclick "alert('foo')")))
"<input type='BUTTON' onclick='alert('foo')' />"
You need parenscript
:onclick (ps (alert ...))
? (parenscript::ps (alert "foo"))
"alert('foo');"
? (with-html-output-to-string (s) ((:input :type :button :onclick (parenscript::ps (alert "foo")))))
"<input type='BUTTON' onclick='alert('foo');' />"
(setq ps:*js-string-delimiter* #\" )
? (setq ps:*js-string-delimiter* #\" )
#\"
? (princ (ps:ps (alert "'\"")))
alert("\'"");
"alert(\"\\'\"\");"
But I guess this is close enough for my current needs. Thanks!
rg
How about this:

(setq cl-who:*attribute-quote-char* #\")

(cl-who:with-html-output-to-string (s) ((:input :type :button :onclick "alert('foo')")))
"<input type=\"BUTTON\" onclick=\"alert('foo')\" />"

PT
Sebastian Tennant
2013-04-30 20:55:53 UTC
Permalink
Post by Ron Garret
Post by Stas Boukarev
Post by Ron Garret
? (with-html-output-to-string (s) ((:a :href (esc "XXX")) (esc "YYY")))
"<aXXX href='XXX'>YYY</a>"
(:a :onclick (esc "f('str')"))
This is CL-WHO 1.1.1 acquired through quicklisp.
That's not a bug, the attributes don't need STR or ESC.
(with-html-output-to-string (s) ((:a :href (escape-string "XXX")) (esc "YYY")))
? (with-html-output-to-string (s) ((:input :type :button :onclick "alert('foo')")))
"<input type='BUTTON' onclick='alert('foo')' />"
You have a choice. You can either stick with single quotes around foo and
change *attribute-quote-char* to double quotes, or leave *attribute-quote-char*
as it is and use double quotes around foo.

Loading...