This repository has been archived by the owner. It is now read-only.

Use of encodeURIComponent() on cookie values should be escape() #3

Closed
cwhatley opened this Issue Jan 20, 2011 · 5 comments

Comments

4 participants
@cwhatley

cwhatley commented Jan 20, 2011

Is encodeURIComponent() correct here for escaping the value of the cookie? Shouldn't it be "escape"?

Cookies come in and out of your plugin just fine, but cookies containing a pathname are not really usable as-is by anyone else because of your choice of encoding.

@carhartl

This comment has been minimized.

Show comment
Hide comment
@carhartl

carhartl Jan 20, 2011

Owner

Reason to use encodeURIComponent / decodeURIComponent was that escape / unescape is deprecated.

Apart from that I haven't yet understood what the problem is here. The cookie value runs through decodeURIComponent before it is returned; thus, unless I am missing something, it should be exactly the same as what it was when passed into the cookie. Could you please post a gist or something to illustrate the issue?

Last not least you can use the raw option to bypass encoding in the first place.

Owner

carhartl commented Jan 20, 2011

Reason to use encodeURIComponent / decodeURIComponent was that escape / unescape is deprecated.

Apart from that I haven't yet understood what the problem is here. The cookie value runs through decodeURIComponent before it is returned; thus, unless I am missing something, it should be exactly the same as what it was when passed into the cookie. Could you please post a gist or something to illustrate the issue?

Last not least you can use the raw option to bypass encoding in the first place.

@cwhatley

This comment has been minimized.

Show comment
Hide comment
@cwhatley

cwhatley Jan 20, 2011

You are right about it being deprecated. Probably encodeURI() is what is really needed instead of encodeURIComponent().

Here's the problem in a nutshell: Your code works only if the cookie is being created and consumed via your plugin. If you create a cookie with your plugin and then try to read it from a php or java app, that app has to know that the cookie is encoded with encodeURIComponent() and should be urldecoded() on the backend.

The main place this causes a problem is when you put a URL or URI in a cookie. Let's say I want to put "/foo" in a cookie. EncodeURIComponent() gives me the unusable pathname "%2Ffoo" while encodeURI() gives me "/foo" which is directly consumable by any backend system or anyone else using the cookie without your plugin.

The advantage of encode() here is actually that if you have a semicolon in your cookie value, it gets escaped out. encodeURI() doesn't escape the semicolon, so you will have to add some code to handle that on top of the use of encodeURI().

Raw is OK, but I'm assuming maybe you added that because people had issues with the encoding. If you use encodeURI(), then you probably don't need it anymore.

cwhatley commented Jan 20, 2011

You are right about it being deprecated. Probably encodeURI() is what is really needed instead of encodeURIComponent().

Here's the problem in a nutshell: Your code works only if the cookie is being created and consumed via your plugin. If you create a cookie with your plugin and then try to read it from a php or java app, that app has to know that the cookie is encoded with encodeURIComponent() and should be urldecoded() on the backend.

The main place this causes a problem is when you put a URL or URI in a cookie. Let's say I want to put "/foo" in a cookie. EncodeURIComponent() gives me the unusable pathname "%2Ffoo" while encodeURI() gives me "/foo" which is directly consumable by any backend system or anyone else using the cookie without your plugin.

The advantage of encode() here is actually that if you have a semicolon in your cookie value, it gets escaped out. encodeURI() doesn't escape the semicolon, so you will have to add some code to handle that on top of the use of encodeURI().

Raw is OK, but I'm assuming maybe you added that because people had issues with the encoding. If you use encodeURI(), then you probably don't need it anymore.

@carhartl

This comment has been minimized.

Show comment
Hide comment
@carhartl

carhartl Jan 27, 2011

Owner

Reason I cannot use encodeURI:

encodeURI('foo;bar') == "foo;bar"

But:

encodeURIComponent('foo;bar') == "foo%3Bbar"

The latter is the behavior we want.

raw was in fact added to account for playing nice with a server.

Owner

carhartl commented Jan 27, 2011

Reason I cannot use encodeURI:

encodeURI('foo;bar') == "foo;bar"

But:

encodeURIComponent('foo;bar') == "foo%3Bbar"

The latter is the behavior we want.

raw was in fact added to account for playing nice with a server.

@wheresrhys

This comment has been minimized.

Show comment
Hide comment
@wheresrhys

wheresrhys Apr 21, 2011

I'm curious as to why you want that behaviour? Struggling to find an answer elsewhere http://stackoverflow.com/questions/5743119/why-use-encodeuricomponent-when-writing-json-to-a-cookie

wheresrhys commented Apr 21, 2011

I'm curious as to why you want that behaviour? Struggling to find an answer elsewhere http://stackoverflow.com/questions/5743119/why-use-encodeuricomponent-when-writing-json-to-a-cookie

@Ahnfelt

This comment has been minimized.

Show comment
Hide comment
@Ahnfelt

Ahnfelt Sep 17, 2013

Just if anybody else finds this discussion while searching for an answer like I did:

Cookies are passed to the server as a HTTP header:

Cookie: name1=value1; name2=value2

Obviously, value1 is not allowed to contain a ;

There are also other problematic characters.

The fact is that cookies are fundamentally hampered by the lack of encoding. You have to choose an encoding and use it both in the browser and on the server.

MDN recommends encodeURIComponent: https://developer.mozilla.org/en-US/docs/Web/API/document.cookie

Ahnfelt commented Sep 17, 2013

Just if anybody else finds this discussion while searching for an answer like I did:

Cookies are passed to the server as a HTTP header:

Cookie: name1=value1; name2=value2

Obviously, value1 is not allowed to contain a ;

There are also other problematic characters.

The fact is that cookies are fundamentally hampered by the lack of encoding. You have to choose an encoding and use it both in the browser and on the server.

MDN recommends encodeURIComponent: https://developer.mozilla.org/en-US/docs/Web/API/document.cookie

This issue was closed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.