Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Adds RFC2068 quoted string decoding #57

Closed
wants to merge 1 commit into from

5 participants

@robmadole

With a cookie like this:

Cookie: mycookie="robmadole@gmail.com";

The quotes are not removed when the value is returned.

This cookie would also cause a problem:

Cookie: mycookie="A value with \" and \\";

This pull request adds the decoding of the escaped characters and removes the leading and trailing quote.

@robmadole

I think with the introduction of issue #50 and this issue, it would be a good idea to update the underlying engine of this to use a lexer and parser. Seems like the format of these cookies can vary wildly.

@carhartl have you considered something like this before?

@carhartl
Owner

@robmadole No, not yet. Do you really think this is required?

@robmadole

@carhartl No, it's not required. I'm wondering if it would add some future-proofing and make bug fixing easier.

@jvanasco

I think this is required. It's not compatible with the RFC - web servers will correctly quote cookie values that include reserved tokens ( see this comment for the webob library ).

Pylons/webob#27 (comment)

The RFCs for cookies are 2109 > 2965 > 6265. 2109 and 2965 both explicitly state a "token or quoted string" as the value; 6265 refers to 2616 , which notes quoted strings as valid in section 4.2 'Message Headers'

a quick fix to the current version of jquery.cookie is this:

for (var i = 0, parts; (parts = cookies[i] && cookies[i].split('=')); i++) {
    if (decode(parts.shift()) === key) {
        var value= parts.join('=') ;
            value= RegExp( '(["\']?)(.*)\\1' ).exec(value)[2];
        return value;
    }
}

the earlier versions can benefit from:

return (result = new RegExp('(?:^|; )' + encodeURIComponent(key) + '=(["\']?)([^;]*)\\1').exec(document.cookie)) ? decode(result[2]) : null;
@pboling

Just ran into this myself. I have some code that wants to use config.raw = true and config.json = true but also other code that was happily using the string encoding and decoding of the older versions. Now my strings are harder to use: "\"hello\"".

@kirpit

many blames jquery.cookie about this issue.
https://code.djangoproject.com/ticket/19641#no2

@carhartl
Owner

I will get this in today and release 1.3.

@carhartl carhartl was assigned
@carhartl carhartl closed this in ff9dfc6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 23, 2012
  1. @robmadole
This page is out of date. Refresh to see the latest.
Showing with 23 additions and 5 deletions.
  1. +16 −3 jquery.cookie.js
  2. +7 −2 test.js
View
19 jquery.cookie.js
@@ -36,11 +36,24 @@
// key and possibly options given, get cookie...
options = value || {};
- var decode = options.raw ? function(s) { return s; } : decodeURIComponent;
+ var rawreturn = function(s) { return s; };
+ var decode = options.raw ? rawreturn : decodeURIComponent;
+ var un_rfc2068 = options.raw ? rawreturn : function(value) {
+ if (value.indexOf('"') === 0) {
+ // This is a quoted cookie as according to RFC2068, unescape
+ value = value.substr(1, value.length - 2); // Remove the leading and trailing "
+ value = value.replace('\\"', '"');
+ value = value.replace('\\\\', '\\');
+ }
+ return value;
+ };
- var pairs = document.cookie.split('; ');
+ var value, pairs = document.cookie.split('; ');
for (var i = 0, pair; pair = pairs[i] && pairs[i].split('='); i++) {
- if (decode(pair[0]) === key) return decode(pair[1] || ''); // IE saves cookies with empty string as "c; ", e.g. without "=" as opposed to EOMB, thus pair[1] may be undefined
+ if (decode(pair[0]) === key) {
+ // IE saves cookies with empty string as "c; ", e.g. without "=" as opposed to EOMB, thus pair[1] may be undefined
+ return un_rfc2068(decode(pair[1] || ''));
+ }
}
return null;
};
View
9 test.js
@@ -29,9 +29,14 @@ test('decode', 1, function () {
equal($.cookie(' c'), ' v', 'should decode key and value');
});
+test('rfc2068', 1, function () {
+ document.cookie = 'c="v@address.com\\"\\\\"';
+ equal($.cookie('c'), 'v@address.com"\\', 'should decode rfc2068 quoted string');
+});
+
test('raw: true', 1, function () {
- document.cookie = 'c=%20v';
- equal($.cookie('c', { raw: true }), '%20v', 'should not decode');
+ document.cookie = 'c=%20v"\\';
+ equal($.cookie('c', { raw: true }), '%20v"\\', 'should not decode');
});
Something went wrong with that request. Please try again.