Cookies do not have a standard escaping mechanism. The ;
character, for example, simply cannot be used in a cookie at all; unlike with URL-encoding or HTML-encoding there is no scheme that will allow a character taken directly from a cookie to represent a semicolon.
So what people tend to do is ad-hoc encoding - they encode the cookie with some arbitrary form of encoding, and decode it again after pulling it back out. URL-encoding, which is what encodeURIComponent()
does, is the most popular ad-hoc encoding method, but still not one you can expect tools to use unconditionally.
The jQuery cookie plugin adopts this form of encoding, and calls encodeURIComponent()
for you on the cookie name and value. So if you pass the name wsjnudge_javascript:jQuery...
to it, the cookie you'll be setting will have the real name wsjnudge_javascript%3AjQuery
. When you call encodeURIComponent()
yourself on top of that as in your example code, the output you will get is double-encoded: wsjnudge_javascript%253AjQuery...
.
Presumably neither of these names are any use to the third-party code you are using, which is probably looking for the cookie with the real name wsjnudge_javascript:jQuery...
. You cannot set this cookie with the jQuery cookie plugin because of its built-in non-cookie-standard URL-encoding. You can by setting it directly in JavaScript, eg:
document.cookie= 'wsjnudge_javascript:jQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_= true';
though either way note you may need to add some parameters to that to match whatever the third-party code is using - if the path
and domain
parameters don't match then you can end up with two copies of the same cookie.
In theory, according to RFC 6265 which is the nearest thing we have to a standard for cookies, it shouldn't be allowable to include a colon in a cookie name without surrounding the name in double quotes. However, in practice browsers (that I've tested) do allow it, and don't treat the double quotes as anything special - so the real cookie name in that case would end up containing double quotes, which wouldn't be recognised by the third-party script.
Putting colons in cookie names is somewhat inadvisable because of this, but that is presumably part of the third-party script so you're stuck with it. The cookie name in general is very weird and I'm worried that it appears to contain executable JavaScript code.
I can't tell if this is really what's happening without the third-party source code, but if the third-party script does indeed extract that JavaScript code from the cookie name and execute it with eval()
then that's a really bad idea. Apart from the grievous ugliness, it would allow anyone who could inject a cookie into your domain (eg from a vulnerable related-domain) to escalate that cookie injection into a full-blown cross-site-scripting vulnerability.
It depends on what your site does and what user data/interactions it has whether you're worried about that kind of attack. Personally I would be uncomfortable with doing that on one of my sites...