https://github.com/python/cpython/commit/ed27363ddf340577afd5b7b67e604489f5ee7aa3 commit: ed27363ddf340577afd5b7b67e604489f5ee7aa3 branch: 3.15 author: Miss Islington (bot) <[email protected]> committer: encukou <[email protected]> date: 2026-05-15T00:38:11+02:00 summary:
[3.15] gh-149144: Use decodeURIComponent() for UTF-8 support in js_output() (GH-149157) (GH-149846) gh-149144: Use decodeURIComponent() for UTF-8 support in js_output() (GH-149157) (cherry picked from commit 461b1d96313de02992d284c1782be9aff24586c9) Co-authored-by: Seth Larson <[email protected]> files: M Lib/http/cookies.py M Lib/test/test_http_cookies.py diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py index 800a2c18e3fa41..9a6f01dfb5e69a 100644 --- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -391,21 +391,20 @@ def output(self, attrs=None, header="Set-Cookie:"): def __repr__(self): return '<%s: %s>' % (self.__class__.__name__, self.OutputString()) - def _js_output(self, attrs=None): """Internal implementation without deprecation warning.""" - import base64 + import urllib.parse # Print javascript output_string = self.OutputString(attrs) if _has_control_character(output_string): raise CookieError("Control characters are not allowed in cookies") # Base64-encode value to avoid template # injection in cookie values. - output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii") + output_encoded = urllib.parse.quote(output_string, safe='', encoding='utf-8') return """ <script type="text/javascript"> <!-- begin hiding - document.cookie = atob(\"%s\"); + document.cookie = decodeURIComponent(\"%s\"); // end hiding --> </script> """ % (output_encoded,) diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py index cde268e3241850..d1df2ec42f0d14 100644 --- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -1,11 +1,11 @@ # Simple test suite for http/cookies.py -import base64 import copy import unittest import doctest from http import cookies import pickle from test import support +import urllib.parse class CookieTests(unittest.TestCase): @@ -152,21 +152,21 @@ def test_load(self): self.assertEqual(C.output(['path']), 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') - cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii') + cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme; Version=1', safe='', encoding='utf-8') with self.assertWarnsRegex(DeprecationWarning, r"BaseCookie\.js_output"): self.assertEqual(C.js_output(), fr""" <script type="text/javascript"> <!-- begin hiding - document.cookie = atob("{cookie_encoded}"); + document.cookie = decodeURIComponent("{cookie_encoded}"); // end hiding --> </script> """) - cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii') + cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme', safe='', encoding='utf-8') with self.assertWarnsRegex(DeprecationWarning, r"BaseCookie\.js_output"): self.assertEqual(C.js_output(['path']), fr""" <script type="text/javascript"> <!-- begin hiding - document.cookie = atob("{cookie_encoded}"); + document.cookie = decodeURIComponent("{cookie_encoded}"); // end hiding --> </script> """) @@ -271,21 +271,21 @@ def test_quoted_meta(self): self.assertEqual(C.output(['path']), 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') - expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii') + expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1', safe='', encoding='utf-8') with self.assertWarnsRegex(DeprecationWarning, r"BaseCookie\.js_output"): self.assertEqual(C.js_output(), fr""" <script type="text/javascript"> <!-- begin hiding - document.cookie = atob("{expected_encoded_cookie}"); + document.cookie = decodeURIComponent("{expected_encoded_cookie}"); // end hiding --> </script> """) - expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii') + expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme', safe='', encoding='utf-8') with self.assertWarnsRegex(DeprecationWarning, r"BaseCookie\.js_output"): self.assertEqual(C.js_output(['path']), fr""" <script type="text/javascript"> <!-- begin hiding - document.cookie = atob("{expected_encoded_cookie}"); + document.cookie = decodeURIComponent("{expected_encoded_cookie}"); // end hiding --> </script> """) @@ -376,13 +376,14 @@ def test_setter(self): self.assertEqual( M.output(), "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i)) - expected_encoded_cookie = base64.b64encode( - ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii") - ).decode('ascii') + expected_encoded_cookie = urllib.parse.quote( + "%s=%s; Path=/foo" % (i, "%s_coded_val" % i), + safe='', encoding='utf-8', + ) expected_js_output = """ <script type="text/javascript"> <!-- begin hiding - document.cookie = atob("%s"); + document.cookie = decodeURIComponent("%s"); // end hiding --> </script> """ % (expected_encoded_cookie,) _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
