Skip to content

chore(cookie): remove QueryEscape cookies (#1717) #3683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(cookie): remove QueryEscape cookies (#1717) #3683

wants to merge 1 commit into from
+8 −1

Conversation

@cavedon
Copy link

@cavedon cavedon commented Aug 1, 2023

Cookies values are already sanitized by the Go http library, so there is no need to invoke QueryEscape() on them.
Furthermore, QueryEscape() has the undesirable effect of replacing spaces wiith "+" characters.

@cavedon
Do not QueryEscape cookies (gin-gonic#1717)
9297945 
Cookies values are already sanitized by the Go http library, so there is
no need to invoke QueryEscape() on them.
Furthermore, QueryEscape() has the undesirable effect of replacing
spaces wiith "+" characters.
@cavedon cavedon mentioned this pull request Aug 1, 2023
Open
rhcarvalho
rhcarvalho suggested changes Oct 23, 2023
View reviewed changes
Copy link

@rhcarvalho rhcarvalho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that Context.Cookie also needs an update to remove the call to url.QueryUnescape (line 912), becoming a simple proxy to c.Request.Cookie.

@rhcarvalho
Copy link

(I'm just a passerby, not a Gin maintainer)

@zzh8829
Copy link

zzh8829 commented Jul 15, 2024

This has other potential side effects for example nextjs uses the same url encode strategy
https://github.com/vercel/edge-runtime/blob/ff6580581017970106097188fbd4c0197477428c/packages/cookies/src/serialize.ts#L21

https://github.com/vercel/edge-runtime/blob/ff6580581017970106097188fbd4c0197477428c/packages/cookies/src/serialize.ts#L75

making this change means gin will no longer be compatible with cookies in nextjs

@zzh8829
Copy link

zzh8829 commented Jul 15, 2024

Also golang std library does not encode cookie, it simply sanitized it by removing bad character sets.

@llllllllr
Copy link

Why hasn't this fix been merged yet

@appleboy appleboy requested a review from Copilot May 21, 2025 11:09
@appleboy appleboy added this to the v1.11 milestone May 21, 2025
@appleboy
Copy link
Member

@cavedon Please help to rebase the master branch

Copilot AI reviewed May 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR removes unnecessary URL-escaping of cookie values in Context.SetCookie, relying on Go’s built-in quoting for values containing spaces, and adds a test to verify correct handling of spaces.

  • Removed url.QueryEscape usage in SetCookie to prevent spaces from becoming "+"
  • Added TestContextSetCookieWithSpace to ensure values with spaces are quoted

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
context.go Stop applying url.QueryEscape to cookie values
context_test.go New test to verify quoting of space-containing values
Comments suppressed due to low confidence (1)

context_test.go:630

  • [nitpick] Consider adding tests for other special characters (e.g., semicolons, commas, equals) in cookie values to ensure they are correctly quoted.
func TestContextSetCookieWithSpace(t *testing.T) {

context.go
http.SetCookie(c.Writer, &http.Cookie{
Name: name,
Value: url.QueryEscape(value),
Value: value,
Copy link

Copilot AI May 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider updating the SetCookie doc comment to mention that values are no longer escaped via url.QueryEscape and now rely on Go’s standard cookie quoting behavior.

Copilot uses AI. Check for mistakes.
@appleboy appleboy changed the title Do not QueryEscape cookies (#1717) chore(cookie): remove QueryEscape cookies (#1717) May 21, 2025
@appleboy appleboy modified the milestones: v1.11, v1.12 Jun 21, 2025
HoangViet144
HoangViet144 suggested changes Oct 6, 2025
View reviewed changes
Copy link

@HoangViet144 HoangViet144 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/gin-gonic/gin/pull/3683/files#diff-552f47512a00afe5fc6850cc9ddc830a6daeca162750e50aab4ed549685e0253L912
please help to remove this line as well val, _ := url.QueryUnescape(cookie.Value)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+2 more reviewers

@rhcarvalho rhcarvalho rhcarvalho requested changes

@HoangViet144 HoangViet144 HoangViet144 requested changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

v1.12

Development

Successfully merging this pull request may close these issues.

6 participants

@cavedon @rhcarvalho @zzh8829 @llllllllr @appleboy @HoangViet144