search

carhartl / jquery-cookie

No longer maintained, superseded by JS Cookie:
https://github.com/js-cookie/js-cookie
MIT License
8.57k stars 4.06k forks source link

Use of encodeURIComponent() on cookie values should be escape() #3

Closed cwhatley closed 13 years ago

cwhatley commented 13 years ago

Is encodeURIComponent() correct here for escaping the value of the cookie? Shouldn't it be "escape"?

Cookies come in and out of your plugin just fine, but cookies containing a pathname are not really usable as-is by anyone else because of your choice of encoding.

carhartl commented 13 years ago

Reason to use encodeURIComponent / decodeURIComponent was that escape / unescape is deprecated.

Apart from that I haven't yet understood what the problem is here. The cookie value runs through decodeURIComponent before it is returned; thus, unless I am missing something, it should be exactly the same as what it was when passed into the cookie. Could you please post a gist or something to illustrate the issue?

Last not least you can use the raw option to bypass encoding in the first place.

cwhatley commented 13 years ago

You are right about it being deprecated. Probably encodeURI() is what is really needed instead of encodeURIComponent().

Here's the problem in a nutshell: Your code works only if the cookie is being created and consumed via your plugin. If you create a cookie with your plugin and then try to read it from a php or java app, that app has to know that the cookie is encoded with encodeURIComponent() and should be urldecoded() on the backend.

The main place this causes a problem is when you put a URL or URI in a cookie. Let's say I want to put "/foo" in a cookie. EncodeURIComponent() gives me the unusable pathname "%2Ffoo" while encodeURI() gives me "/foo" which is directly consumable by any backend system or anyone else using the cookie without your plugin.

The advantage of encode() here is actually that if you have a semicolon in your cookie value, it gets escaped out. encodeURI() doesn't escape the semicolon, so you will have to add some code to handle that on top of the use of encodeURI().

Raw is OK, but I'm assuming maybe you added that because people had issues with the encoding. If you use encodeURI(), then you probably don't need it anymore.

carhartl commented 13 years ago

Reason I cannot use encodeURI:

encodeURI('foo;bar') == "foo;bar"

But:

encodeURIComponent('foo;bar') == "foo%3Bbar"

The latter is the behavior we want.

raw was in fact added to account for playing nice with a server.

wheresrhys commented 13 years ago

I'm curious as to why you want that behaviour? Struggling to find an answer elsewhere http://stackoverflow.com/questions/5743119/why-use-encodeuricomponent-when-writing-json-to-a-cookie

Ahnfelt commented 11 years ago

Just if anybody else finds this discussion while searching for an answer like I did:

Cookies are passed to the server as a HTTP header:

Cookie: name1=value1; name2=value2

Obviously, value1 is not allowed to contain a ;

There are also other problematic characters.

The fact is that cookies are fundamentally hampered by the lack of encoding. You have to choose an encoding and use it both in the browser and on the server.

MDN recommends encodeURIComponent: https://developer.mozilla.org/en-US/docs/Web/API/document.cookie