Merge 929794596f18ada3ca5edfeae193c3b1a1c33823 into 71cefce08e9ee91f6fb841a668207ccfda1df169

Do not QueryEscape cookies (#1717 )
Cookies values are already sanitized by the Go http library, so there is no need to invoke QueryEscape() on them. Furthermore, QueryEscape() has the undesirable effect of replacing spaces wiith "+" characters.
2026-06-12 00:28:37 +08:00 · 2026-02-14 08:30:58 +07:00 · 2023-08-02 00:13:28 +02:00
2 changed files with 8 additions and 1 deletions
--- a/context.go
+++ b/context.go
@ -1111,7 +1111,7 @@ func (c *Context) SetCookie(name, value string, maxAge int, path, domain string,
 	}
 	http.SetCookie(c.Writer, &http.Cookie{
 		Name:     name,
-		Value:    url.QueryEscape(value),
+		Value:    value,
 		MaxAge:   maxAge,
 		Path:     path,
 		Domain:   domain,
--- a/context_test.go
+++ b/context_test.go
@ -1019,6 +1019,13 @@ func TestContextSetCookiePathEmpty(t *testing.T) {
 	assert.Equal(t, "user=gin; Path=/; Domain=localhost; Max-Age=1; HttpOnly; Secure; SameSite=Lax", c.Writer.Header().Get("Set-Cookie"))
 }

+func TestContextSetCookieWithSpace(t *testing.T) {
+	c, _ := CreateTestContext(httptest.NewRecorder())
+	c.SetSameSite(http.SameSiteLaxMode)
+	c.SetCookie("user", "gin test", 1, "/", "localhost", true, true)
+	assert.Equal(t, "user=\"gin test\"; Path=/; Domain=localhost; Max-Age=1; HttpOnly; Secure; SameSite=Lax", c.Writer.Header().Get("Set-Cookie"))
+}
+
 func TestContextGetCookie(t *testing.T) {
 	c, _ := CreateTestContext(httptest.NewRecorder())
 	c.Request, _ = http.NewRequest(http.MethodGet, "/get", nil)
Author	SHA1	Message	Date
Ludovico Cavedon	4226c7b1e6	Merge 929794596f18ada3ca5edfeae193c3b1a1c33823 into 71cefce08e9ee91f6fb841a668207ccfda1df169	2026-02-14 08:30:58 +07:00
Ludovico Cavedon	929794596f	Do not QueryEscape cookies (#1717 ) Cookies values are already sanitized by the Go http library, so there is no need to invoke QueryEscape() on them. Furthermore, QueryEscape() has the undesirable effect of replacing spaces wiith "+" characters.	2023-08-02 00:13:28 +02:00