From 929794596f18ada3ca5edfeae193c3b1a1c33823 Mon Sep 17 00:00:00 2001 From: Ludovico Cavedon Date: Wed, 2 Aug 2023 00:13:28 +0200 Subject: [PATCH] Do not QueryEscape cookies (#1717) Cookies values are already sanitized by the Go http library, so there is no need to invoke QueryEscape() on them. Furthermore, QueryEscape() has the undesirable effect of replacing spaces wiith "+" characters. --- context.go | 2 +- context_test.go | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/context.go b/context.go index 420ff167..5011d3a0 100644 --- a/context.go +++ b/context.go @@ -890,7 +890,7 @@ func (c *Context) SetCookie(name, value string, maxAge int, path, domain string, } http.SetCookie(c.Writer, &http.Cookie{ Name: name, - Value: url.QueryEscape(value), + Value: value, MaxAge: maxAge, Path: path, Domain: domain, diff --git a/context_test.go b/context_test.go index 70d47583..38f19ffa 100644 --- a/context_test.go +++ b/context_test.go @@ -627,6 +627,13 @@ func TestContextSetCookiePathEmpty(t *testing.T) { assert.Equal(t, "user=gin; Path=/; Domain=localhost; Max-Age=1; HttpOnly; Secure; SameSite=Lax", c.Writer.Header().Get("Set-Cookie")) } +func TestContextSetCookieWithSpace(t *testing.T) { + c, _ := CreateTestContext(httptest.NewRecorder()) + c.SetSameSite(http.SameSiteLaxMode) + c.SetCookie("user", "gin test", 1, "/", "localhost", true, true) + assert.Equal(t, "user=\"gin test\"; Path=/; Domain=localhost; Max-Age=1; HttpOnly; Secure; SameSite=Lax", c.Writer.Header().Get("Set-Cookie")) +} + func TestContextGetCookie(t *testing.T) { c, _ := CreateTestContext(httptest.NewRecorder()) c.Request, _ = http.NewRequest("GET", "/get", nil)