[Python-checkins] [3.13] gh-149144: Use `decodeURIComponent()` for UTF-8 support in `js_output()` (GH-149157) (#150949)

Mon, 08 Jun 2026 12:15:47 -0700 

https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802
commit: e7d4c3ff421916986223690a8425d2383f6f3802
branch: 3.13
author: Stan Ulbrych <[email protected]>
committer: StanFromIreland <[email protected]>
date: 2026-06-08T20:15:21+01:00
summary:

[3.13] gh-149144: Use `decodeURIComponent()` for UTF-8 support in `js_output()` 
(GH-149157) (#150949)

Co-authored-by: Seth Larson <[email protected]>

files:
M Lib/http/cookies.py
M Lib/test/test_http_cookies.py

diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index aebc2a163e4487b..2cffa2a9ad6e305 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -389,18 +389,18 @@ def __repr__(self):
         return '<%s: %s>' % (self.__class__.__name__, self.OutputString())
 
     def js_output(self, attrs=None):
-        import base64
+        import urllib.parse
         # Print javascript
         output_string = self.OutputString(attrs)
         if _has_control_character(output_string):
             raise CookieError("Control characters are not allowed in cookies")
         # Base64-encode value to avoid template
         # injection in cookie values.
-        output_encoded = 
base64.b64encode(output_string.encode('utf-8')).decode("ascii")
+        output_encoded = urllib.parse.quote(output_string, safe='', 
encoding='utf-8')
         return """
         <script type="text/javascript">
         <!-- begin hiding
-        document.cookie = atob(\"%s\");
+        document.cookie = decodeURIComponent(\"%s\");
         // end hiding -->
         </script>
         """ % (output_encoded,)
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index 88914123d513030..c48d5d91c2b3445 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -1,10 +1,10 @@
 # Simple test suite for http/cookies.py
-import base64
 import copy
 import unittest
 import doctest
 from http import cookies
 import pickle
+import urllib.parse
 from test import support
 from test.support.testcase import ExtraAssertions
 
@@ -153,19 +153,19 @@ def test_load(self):
 
         self.assertEqual(C.output(['path']),
             'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
-        cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; 
Path=/acme; Version=1').decode('ascii')
+        cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; 
Path=/acme; Version=1', safe='', encoding='utf-8')
         self.assertEqual(C.js_output(), fr"""
         <script type="text/javascript">
         <!-- begin hiding
-        document.cookie = atob("{cookie_encoded}");
+        document.cookie = decodeURIComponent("{cookie_encoded}");
         // end hiding -->
         </script>
         """)
-        cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; 
Path=/acme').decode('ascii')
+        cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; 
Path=/acme', safe='', encoding='utf-8')
         self.assertEqual(C.js_output(['path']), fr"""
         <script type="text/javascript">
         <!-- begin hiding
-        document.cookie = atob("{cookie_encoded}");
+        document.cookie = decodeURIComponent("{cookie_encoded}");
         // end hiding -->
         </script>
         """)
@@ -262,19 +262,19 @@ def test_quoted_meta(self):
 
         self.assertEqual(C.output(['path']),
                          'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
-        expected_encoded_cookie = 
base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; 
Version=1').decode('ascii')
+        expected_encoded_cookie = 
urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1', 
safe='', encoding='utf-8')
         self.assertEqual(C.js_output(), fr"""
         <script type="text/javascript">
         <!-- begin hiding
-        document.cookie = atob("{expected_encoded_cookie}");
+        document.cookie = decodeURIComponent("{expected_encoded_cookie}");
         // end hiding -->
         </script>
         """)
-        expected_encoded_cookie = 
base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii')
+        expected_encoded_cookie = 
urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme', safe='', 
encoding='utf-8')
         self.assertEqual(C.js_output(['path']), fr"""
         <script type="text/javascript">
         <!-- begin hiding
-        document.cookie = atob("{expected_encoded_cookie}");
+        document.cookie = decodeURIComponent("{expected_encoded_cookie}");
         // end hiding -->
         </script>
         """)
@@ -365,13 +365,14 @@ def test_setter(self):
             self.assertEqual(
                 M.output(),
                 "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i))
-            expected_encoded_cookie = base64.b64encode(
-                ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii")
-            ).decode('ascii')
+            expected_encoded_cookie = urllib.parse.quote(
+                "%s=%s; Path=/foo" % (i, "%s_coded_val" % i),
+                safe='', encoding='utf-8',
+            )
             expected_js_output = """
         <script type="text/javascript">
         <!-- begin hiding
-        document.cookie = atob("%s");
+        document.cookie = decodeURIComponent("%s");
         // end hiding -->
         </script>
         """ % (expected_encoded_cookie,)

_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]

Reply via email to