Skip to content

gh-149144: Use decodeURIComponent() for UTF-8 support in js_output()#149157

Open
sethmlarson wants to merge 2 commits intopython:mainfrom
sethmlarson:js-cookie-percent-encoding
Open

gh-149144: Use decodeURIComponent() for UTF-8 support in js_output()#149157
sethmlarson wants to merge 2 commits intopython:mainfrom
sethmlarson:js-cookie-percent-encoding

Conversation

@sethmlarson
Copy link
Copy Markdown
Contributor

@sethmlarson sethmlarson commented Apr 29, 2026
edited by bedevere-app Bot
Loading

Related to #90309. Fixes a bug in the security fix #148848

The JavaScript function atob() only outputs strings in latin-1, not in utf-8. decodeURIComponent outputs to UTF-8. Tested in Firefox and Chrome and the function decodeURIComponent is supported by IE 5.5+.

Python:

>>> import urllib.parse as u
>>> u.quote('Ł/😀', safe='', encoding='utf-8')
'%C5%81%2F%F0%9F%98%80'

JavaScript (Firefox, Chrome):

>>> decodeURIComponent("%C5%81%2F%F0%9F%98%80")
<<< "Ł/😀"

@sethmlarson sethmlarson added the type-security A security issue label Apr 29, 2026
@bedevere-app bedevere-app Bot mentioned this pull request Apr 29, 2026
Open
@sethmlarson sethmlarson requested review from picnixz and serhiy-storchaka and removed request for picnixz April 29, 2026 14:45
StanFromIreland
StanFromIreland reviewed Apr 29, 2026
View reviewed changes
Comment thread Misc/NEWS.d/next/Security/2026-04-29-09-20-00.gh-issue-149144.knfL8K.rst Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@serhiy-storchaka serhiy-storchaka Awaiting requested review from serhiy-storchaka

@picnixz picnixz Awaiting requested review from picnixz

@StanFromIreland StanFromIreland Awaiting requested review from StanFromIreland

Assignees

No one assigned

Labels

awaiting review skip news type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sethmlarson @StanFromIreland