#9824: encode , and ; in cookie values so that browsers don't split on them
There is a small chance of backward incompatibility here, but only for
non-SimpleCookie applications reading SimpleCookie generated cookies. Even
then, any such ap is likely to be handling escaped values already, and it would
take a fairly perverse implementation of unescaping to fail to unescape these
newly escaped chars, so the risk seems minimal.
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index fb9589c..93da627 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -173,6 +173,11 @@
'\033' : '\\033', '\034' : '\\034', '\035' : '\\035',
'\036' : '\\036', '\037' : '\\037',
+ # Because of the way browsers really handle cookies (as opposed
+ # to what the RFC says) we also encode , and ;
+
+ ',' : '\\054', ';' : '\\073',
+
'"' : '\\"', '\\' : '\\\\',
'\177' : '\\177', '\200' : '\\200', '\201' : '\\201',
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index b008e0f..f9a98c4 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -69,6 +69,14 @@
</script>
""")
+ def test_extended_encode(self):
+ # Issue 9824: some browsers don't follow the standard; we now
+ # encode , and ; to keep them from tripping up.
+ C = cookies.SimpleCookie()
+ C['val'] = "some,funky;stuff"
+ self.assertEqual(C.output(['val']),
+ 'Set-Cookie: val="some\\054funky\\073stuff"')
+
def test_special_attrs(self):
# 'expires'
C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')