XML Output: libxo - provide single API to output TXT, XML, JSON and HTML

[Phil Shafer]

John-Mark Gurney writes:
>Return an error?  printf can return an error, yet most people don't
>check it.. so no real difference in API/bugs...

My concern is emitting half a string, where the half we don't emit
is something important.  I don't want to make the opposite of an
injection attack, where arranging some daemon to call xo_emit with
a broken UTF-8 string allows an evil-doer to fix their evil content
into the other half of the string.

I'm escaping XML, JSON, and HTML content already, so the simplest
scheme is to:

a) UTF-8 check the format string;
   if it fails, nothing is emitted
b) for each format descriptor, check the content generared;
   if it fails, nothing is emitted from the xo_emit call
      anything already generated is discarded

Simple and easy.  Seem reasonable?  The other option would be to
discard only that specific format descriptor or only that field
description.

    xo_emit("{:good/%d}{:bad/%d%s}{:ugly}", 0, 55, "\xff\x01\xff", "cat");

Does the "<ugly>cat</ugly>" get emitted?  Is "<bad>55</bad>" emitted?

If "ugly" was <run-this-command-as-user>phil</...>, and the bogus
string blocked the generation of that vital bit of info, life could
be bad.

Unfortunately, even this isn't a simple fix for "w", which wants
call wcsftime() to get wide values for month and day-of-the-week
names.  Does wcsrtombs() convert this to UTF-8?  Is there a locale
for UTF-8?

Thanks,
 Phil