Created
May 5, 2015 15:30
-
-
Save roberttod/30b3654fee9b15511e58 to your computer and use it in GitHub Desktop.
None base64 chars allowed in cookie
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // http://tools.ietf.org/html/rfc6265#section-4.1.1 | |
| var allowedChars = [0x21, [0x23, 0x2B], [0x2D, 0x3A], [0x3C, 0x5B], [0x5D, 0x7E]] | |
| var chars = [] | |
| allowedChars.forEach(function (range) { | |
| if (!range.length) { | |
| chars.push(String.fromCharCode(range)) | |
| return | |
| } | |
| for (var code = range[0]; code < range[1]; code++) { | |
| chars.push(String.fromCharCode(code)) | |
| } | |
| }) | |
| var allowed = chars.filter(function (c) { | |
| return !/[A-Za-z\/+0-9]/.test(c) | |
| }).join('') | |
| console.log(allowed) | |
| // !#$%&'()*-.<=>?@]^_`{|} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Result is
!#$%&'()*-.<=>?@]^_{|}`Notice that
=is valid but could possible break bad cookie parsers.