Mark Thomas wrote:
Filip Hanik - Dev Lists wrote:
Mark Thomas wrote:
Filip Hanik - Dev Lists wrote:
Mark Thomas wrote:
jean-frederic clere wrote:
and we are re escaping already escaped strings.
The spec isn't 100% clear on who is responsible for escaping the
values if
required.
<spec-quote section=SRV.16.1.1.1>
... The value can be anything the server chooses to send. ...
</spec-quote>
<spec-quote section=SRV.16.1.1.2>
...
setValue(String)
what j-f-c is saying here, is that if there is a value of
Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
when it is being parsed, it double escapes it
Path="\\"/foo/bar\\""
I get that ;)
What I was trying (not very well) to say was I don't think the spec is
clear whether we should escape everything, regardless of if it looks like
it is already escaped. I am in favour of the current behaviour because:
a) the spec isn't clear but I think it is leaning in the escape
everything
direction
b) I don't like the complexity of adding an "is this value already
escaped"
function. I think we would be setting ourselves up for another round of
cookie handling bugs.
the spec says
A string of text is parsed as a single word if it is quoted using
double-quote marks.
quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
qdtext = <any TEXT except <">>
The backslash character ("\") MAY be used as a single-character
quoting mechanism only within quoted-string and comment constructs.
quoted-pair = "\" CHAR
now I have to digest that :) and will comment some more.
Isn't that the http spec rather than the servlet spec?
absolutely. there is no syntax definition for HTTP header (and cookies
being such) in the servlet spec
Filip
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
