Merge 929794596f into f05f966a08

Do not QueryEscape cookies (#1717 )
Cookies values are already sanitized by the Go http library, so there is no need to invoke QueryEscape() on them. Furthermore, QueryEscape() has the undesirable effect of replacing spaces wiith "+" characters.
2024-09-22 21:05:40 +08:00 · 2023-08-02 00:13:28 +02:00
2 changed files with 8 additions and 1 deletions
--- a/context.go
+++ b/context.go
@ -1086,7 +1086,7 @@ func (c *Context) SetCookie(name, value string, maxAge int, path, domain string,
 	}
 	http.SetCookie(c.Writer, &http.Cookie{
 		Name:     name,
-		Value:    url.QueryEscape(value),
+		Value:    value,
 		MaxAge:   maxAge,
 		Path:     path,
 		Domain:   domain,
--- a/context_test.go
+++ b/context_test.go
@ -832,6 +832,13 @@ func TestContextSetCookiePathEmpty(t *testing.T) {
 	assert.Equal(t, "user=gin; Path=/; Domain=localhost; Max-Age=1; HttpOnly; Secure; SameSite=Lax", c.Writer.Header().Get("Set-Cookie"))
 }

+func TestContextSetCookieWithSpace(t *testing.T) {
+	c, _ := CreateTestContext(httptest.NewRecorder())
+	c.SetSameSite(http.SameSiteLaxMode)
+	c.SetCookie("user", "gin test", 1, "/", "localhost", true, true)
+	assert.Equal(t, "user=\"gin test\"; Path=/; Domain=localhost; Max-Age=1; HttpOnly; Secure; SameSite=Lax", c.Writer.Header().Get("Set-Cookie"))
+}
+
 func TestContextGetCookie(t *testing.T) {
 	c, _ := CreateTestContext(httptest.NewRecorder())
 	c.Request, _ = http.NewRequest("GET", "/get", nil)