Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Use of encodeURIComponent() on cookie values should be escape() #3
Reason to use
Apart from that I haven't yet understood what the problem is here. The cookie value runs through decodeURIComponent before it is returned; thus, unless I am missing something, it should be exactly the same as what it was when passed into the cookie. Could you please post a gist or something to illustrate the issue?
Last not least you can use the
You are right about it being deprecated. Probably encodeURI() is what is really needed instead of encodeURIComponent().
Here's the problem in a nutshell: Your code works only if the cookie is being created and consumed via your plugin. If you create a cookie with your plugin and then try to read it from a php or java app, that app has to know that the cookie is encoded with encodeURIComponent() and should be urldecoded() on the backend.
The main place this causes a problem is when you put a URL or URI in a cookie. Let's say I want to put "/foo" in a cookie. EncodeURIComponent() gives me the unusable pathname "%2Ffoo" while encodeURI() gives me "/foo" which is directly consumable by any backend system or anyone else using the cookie without your plugin.
The advantage of encode() here is actually that if you have a semicolon in your cookie value, it gets escaped out. encodeURI() doesn't escape the semicolon, so you will have to add some code to handle that on top of the use of encodeURI().
Raw is OK, but I'm assuming maybe you added that because people had issues with the encoding. If you use encodeURI(), then you probably don't need it anymore.
I'm curious as to why you want that behaviour? Struggling to find an answer elsewhere http://stackoverflow.com/questions/5743119/why-use-encodeuricomponent-when-writing-json-to-a-cookie
Just if anybody else finds this discussion while searching for an answer like I did:
Cookies are passed to the server as a HTTP header:
Cookie: name1=value1; name2=value2
Obviously, value1 is not allowed to contain a ;
There are also other problematic characters.
The fact is that cookies are fundamentally hampered by the lack of encoding. You have to choose an encoding and use it both in the browser and on the server.
MDN recommends encodeURIComponent: https://developer.mozilla.org/en-US/docs/Web/API/document.cookie