Use of encodeURIComponent() on cookie values should be escape() #3

cwhatley opened this Issue Jan 20, 2011 · 5 comments


None yet

4 participants


Is encodeURIComponent() correct here for escaping the value of the cookie? Shouldn't it be "escape"?

Cookies come in and out of your plugin just fine, but cookies containing a pathname are not really usable as-is by anyone else because of your choice of encoding.


Reason to use encodeURIComponent / decodeURIComponent was that escape / unescape is deprecated.

Apart from that I haven't yet understood what the problem is here. The cookie value runs through decodeURIComponent before it is returned; thus, unless I am missing something, it should be exactly the same as what it was when passed into the cookie. Could you please post a gist or something to illustrate the issue?

Last not least you can use the raw option to bypass encoding in the first place.


You are right about it being deprecated. Probably encodeURI() is what is really needed instead of encodeURIComponent().

Here's the problem in a nutshell: Your code works only if the cookie is being created and consumed via your plugin. If you create a cookie with your plugin and then try to read it from a php or java app, that app has to know that the cookie is encoded with encodeURIComponent() and should be urldecoded() on the backend.

The main place this causes a problem is when you put a URL or URI in a cookie. Let's say I want to put "/foo" in a cookie. EncodeURIComponent() gives me the unusable pathname "%2Ffoo" while encodeURI() gives me "/foo" which is directly consumable by any backend system or anyone else using the cookie without your plugin.

The advantage of encode() here is actually that if you have a semicolon in your cookie value, it gets escaped out. encodeURI() doesn't escape the semicolon, so you will have to add some code to handle that on top of the use of encodeURI().

Raw is OK, but I'm assuming maybe you added that because people had issues with the encoding. If you use encodeURI(), then you probably don't need it anymore.


Reason I cannot use encodeURI:

encodeURI('foo;bar') == "foo;bar"


encodeURIComponent('foo;bar') == "foo%3Bbar"

The latter is the behavior we want.

raw was in fact added to account for playing nice with a server.


I'm curious as to why you want that behaviour? Struggling to find an answer elsewhere

Ahnfelt commented Sep 17, 2013

Just if anybody else finds this discussion while searching for an answer like I did:

Cookies are passed to the server as a HTTP header:

Cookie: name1=value1; name2=value2

Obviously, value1 is not allowed to contain a ;

There are also other problematic characters.

The fact is that cookies are fundamentally hampered by the lack of encoding. You have to choose an encoding and use it both in the browser and on the server.

MDN recommends encodeURIComponent:

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment