Filip Hanik - Dev Lists wrote:
> Mark Thomas wrote:
>> Filip Hanik - Dev Lists wrote:
>>
>>> Mark Thomas wrote:
>>>
>>>> jean-frederic clere wrote:
>>>>
>>>>> and we are re escaping already escaped strings.
>>>>>
>>>> The spec isn't 100% clear on who is responsible for escaping the
>>>> values if
>>>> required.
>>>>
>>>> <spec-quote section=SRV.16.1.1.1>
>>>> ... The value can be anything the server chooses to send. ...
>>>> </spec-quote>
>>>> <spec-quote section=SRV.16.1.1.2>
>>>> ...
>>>> setValue(String)
>>>>
>>> what j-f-c is saying here, is that if there is a value of
>>> Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
>>>
>>> when it is being parsed, it double escapes it
>>> Path="\\"/foo/bar\\""
>>>
>>
>> I get that ;)
>>
>> What I was trying (not very well) to say was I don't think the spec is
>> clear whether we should escape everything, regardless of if it looks like
>> it is already escaped. I am in favour of the current behaviour because:
>> a) the spec isn't clear but I think it is leaning in the escape
>> everything
>> direction
>>
>> b) I don't like the complexity of adding an "is this value already
>> escaped"
>> function. I think we would be setting ourselves up for another round of
>> cookie handling bugs.
>>
> the spec says
>
> A string of text is parsed as a single word if it is quoted using
> double-quote marks.
>
> quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
> qdtext = <any TEXT except <">>
>
> The backslash character ("\") MAY be used as a single-character
> quoting mechanism only within quoted-string and comment constructs.
>
> quoted-pair = "\" CHAR
>
> now I have to digest that :) and will comment some more.
Isn't that the http spec rather than the servlet spec?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
