search

xNUTs / episodes

Automatically exported from code.google.com/p/episodes
Apache License 2.0
0 stars 0 forks source link

Use encodeURIComponent() instead of escape() to encode cookie #11

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Episodes is currently using the escape() function to encode the URL in the 
cookie:
https://code.google.com/p/episodes/source/browse/trunk/episodes.js#315

In theory, this is completely fine, as the specification for HTTP Cookies 
(http://tools.ietf.org/html/rfc2965) only mentions the following around 
encoding:
"To maximize compatibility with user agents, servers that wish to store 
arbitrary data in a cookie-value SHOULD encode that data, for example, using 
Base64"

So, while technically the RFC doesn't even require URL encoding, it is the 
de-facto implementation. And most commonly used is the function 
encodeURIComponent().

In fact, the O'Reilly book "Javascript: The definitive Guide" mentions a helper 
function to parse cookies and states in the comment "Assume that cookie values 
are encoded with encodeURIComponent()."
https://www.inkling.com/read/javascript-definitive-guide-david-flanagan-6th/chap
ter-20/parsing-the-document-cookies

I could imagine that in reality a lot of people are making this assumption, and 
this can cause severe bugs (which we run into):

> escape('http://www.foo.co.kr/방콕')
"http%3A//www.foo.co.kr/%uBC29%uCF55"

> encodeURIComponent('http://www.foo.co.kr/방콕')
"http%3A%2F%2Fwww.foo.co.kr%2F%EB%B0%A9%EC%BD%95"

> decodeURIComponent(escape('http://www.foo.co.kr/방콕'))
URIError: URI malformed

Original issue reported on code.google.com by fuch...@gmail.com on 23 Mar 2014 at 1:25

GoogleCodeExporter commented 8 years ago 
Thanks for this! MDN is stronger when it comes to escape(): "This feature has 
been removed from the Web. Though some browsers may still support it, it is in 
the process of being dropped. Do not use it in old or new projects. Pages or 
Web apps using it may break at any time. ... Use encodeURI or 
encodeURIComponent instead."

It seems like encodeURI is more appropriate and few chars. Is there a reason 
you want to use encodeURIComponent?

Original comment by stevesou...@gmail.com on 24 Apr 2014 at 12:51

GoogleCodeExporter commented 8 years ago 
Ah, you're right. That does seem like the better choice, especially as it's 
compatible with decodeURIComponent() as well.

I guess I just chose encodeURIComponent, since URL encoding is the de-facto 
standard. But since it's not required, I'm all for shorter encoding.

Original comment by fuch...@gmail.com on 24 Apr 2014 at 1:32

GoogleCodeExporter commented 8 years ago 
fixed

Original comment by stevesou...@gmail.com on 23 Jul 2014 at 12:41