Jquery-cookie: Use of encodeURIComponent() on cookie values should be escape()
Is encodeURIComponent() correct here for escaping the value of the cookie? Shouldn't it be "escape"?
Cookies come in and out of your plugin just fine, but cookies containing a pathname are not really usable as-is by anyone else because of your choice of encoding.
cwhatley
All 5 comments
Reason to use encodeURIComponent / decodeURIComponent was that escape / unescape is deprecated.
Apart from that I haven't yet understood what the problem is here. The cookie value runs through decodeURIComponent before it is returned; thus, unless I am missing something, it should be exactly the same as what it was when passed into the cookie. Could you please post a gist or something to illustrate the issue?
Last not least you can use the raw option to bypass encoding in the first place.
carhartl
on 20 Jan 2011
You are right about it being deprecated. Probably encodeURI() is what is really needed instead of encodeURIComponent().
Here's the problem in a nutshell: Your code works only if the cookie is being created and consumed via your plugin. If you create a cookie with your plugin and then try to read it from a php or java app, that app has to know that the cookie is encoded with encodeURIComponent() and should be urldecoded() on the backend.
The main place this causes a problem is when you put a URL or URI in a cookie. Let's say I want to put "/foo" in a cookie. EncodeURIComponent() gives me the unusable pathname "%2Ffoo" while encodeURI() gives me "/foo" which is directly consumable by any backend system or anyone else using the cookie without your plugin.
The advantage of encode() here is actually that if you have a semicolon in your cookie value, it gets escaped out. encodeURI() doesn't escape the semicolon, so you will have to add some code to handle that on top of the use of encodeURI().
Raw is OK, but I'm assuming maybe you added that because people had issues with the encoding. If you use encodeURI(), then you probably don't need it anymore.
cwhatley
on 20 Jan 2011
Reason I cannot use encodeURI:
encodeURI('foo;bar') == "foo;bar"
But:
encodeURIComponent('foo;bar') == "foo%3Bbar"
The latter is the behavior we want.
raw was in fact added to account for playing nice with a server.
carhartl
on 27 Jan 2011
I'm curious as to why you want that behaviour? Struggling to find an answer elsewhere http://stackoverflow.com/questions/5743119/why-use-encodeuricomponent-when-writing-json-to-a-cookie
wheresrhys
on 21 Apr 2011
Just if anybody else finds this discussion while searching for an answer like I did:
Cookies are passed to the server as a HTTP header:
Cookie: name1=value1; name2=value2
Obviously, value1 is not allowed to contain a ;
There are also other problematic characters.
The fact is that cookies are fundamentally hampered by the lack of encoding. You have to choose an encoding and use it both in the browser and on the server.
MDN recommends encodeURIComponent: https://developer.mozilla.org/en-US/docs/Web/API/document.cookie
Ahnfelt
on 17 Sep 2013
Related issues
erikvold
·
26Comments
jonathan
·
11Comments
paulirish
·
132Comments
int3
·
22Comments
Omiod
·
13Comments
Most helpful comment
Just if anybody else finds this discussion while searching for an answer like I did:
Cookies are passed to the server as a HTTP header:
Cookie: name1=value1; name2=value2
Obviously, value1 is not allowed to contain a ;
There are also other problematic characters.
The fact is that cookies are fundamentally hampered by the lack of encoding. You have to choose an encoding and use it both in the browser and on the server.
MDN recommends encodeURIComponent: https://developer.mozilla.org/en-US/docs/Web/API/document.cookie