Mark Thomas wrote:
Filip Hanik - Dev Lists wrote:
Mark Thomas wrote:
jean-frederic clere wrote:
and we are re escaping already escaped strings.
The spec isn't 100% clear on who is responsible for escaping the
values if
required.
<spec-quote section=SRV.16.1.1.1>
... The value can be anything the server chooses to send. ...
</spec-quote>
<spec-quote section=SRV.16.1.1.2>
...
setValue(String)
what j-f-c is saying here, is that if there is a value of
Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
when it is being parsed, it double escapes it
Path="\\"/foo/bar\\""
I get that ;)
What I was trying (not very well) to say was I don't think the spec is
clear whether we should escape everything, regardless of if it looks like
it is already escaped. I am in favour of the current behaviour because:
a) the spec isn't clear but I think it is leaning in the escape everything
direction
b) I don't like the complexity of adding an "is this value already escaped"
function. I think we would be setting ourselves up for another round of
cookie handling bugs.
the spec says
A string of text is parsed as a single word if it is quoted using
double-quote marks.
quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
qdtext = <any TEXT except <">>
The backslash character ("\") MAY be used as a single-character
quoting mechanism only within quoted-string and comment constructs.
quoted-pair = "\" CHAR
now I have to digest that :) and will comment some more.
Filip
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
