summaryrefslogtreecommitdiff
path: root/std/http/cookie.ts
diff options
context:
space:
mode:
Diffstat (limited to 'std/http/cookie.ts')
-rw-r--r--std/http/cookie.ts28
1 files changed, 28 insertions, 0 deletions
diff --git a/std/http/cookie.ts b/std/http/cookie.ts
index fb0c2dee0..48895a2b1 100644
--- a/std/http/cookie.ts
+++ b/std/http/cookie.ts
@@ -40,6 +40,7 @@ function toString(cookie: Cookie): string {
}
const out: string[] = [];
validateCookieName(cookie.name);
+ validateCookieValue(cookie.name, cookie.value);
out.push(`${cookie.name}=${cookie.value}`);
// Fallback for invalid Set-Cookie
@@ -115,6 +116,33 @@ function validatePath(path: string | null): void {
}
/**
+ *Validate Cookie Value.
+ * @see https://tools.ietf.org/html/rfc6265#section-4.1
+ * @param value Cookie value.
+ */
+function validateCookieValue(name: string, value: string | null): void {
+ if (value == null || name == null) return;
+ for (let i = 0; i < value.length; i++) {
+ const c = value.charAt(i);
+ if (
+ c < String.fromCharCode(0x21) || c == String.fromCharCode(0x22) ||
+ c == String.fromCharCode(0x2c) || c == String.fromCharCode(0x3b) ||
+ c == String.fromCharCode(0x5c) || c == String.fromCharCode(0x7f)
+ ) {
+ throw new Error(
+ "RFC2616 cookie '" + name + "' cannot have '" + c + "' as value",
+ );
+ }
+ if (c > String.fromCharCode(0x80)) {
+ throw new Error(
+ "RFC2616 cookie '" + name + "' can only have US-ASCII chars as value" +
+ c.charCodeAt(0).toString(16),
+ );
+ }
+ }
+}
+
+/**
* Parse the cookies of the Server Request
* @param req An object which has a `headers` property
*/
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-10 22:09:14 +0000