在学习javascript的cookie部分,看的书是JavaScript高级程序设计(第3版),我发现在书中封装的CookieUtil对象有漏洞,放部分源代码:
var CookieUtil = {
get : function(name){
var cookieName = encodeURIComponent(name) + "=",
cookieStart = document.cookie.indexOf(cookieName),
cookieValue = null;
if(cookieStart > -1){
var cookieEnd = document.cookie.indexOf(";",cookieStart); //问题所在地
if(cookieEnd == -1){
cookieEnd = document.cookie.length;
}
cookieValue = decodeURIComponent(document.cookie.substring(cookieStart
+ cookieName.length, cookieEnd));
}
return cookieValue;
}
//还有更多代码
}
这里在匹配name的时候存在着明显的问题,如果我有两个cookie,一个是uservalue=a 一个是value=b。
那么,在document.cookie里面就有这么一段字符串:“username=a; name=b;”。
如果现在要查找的cookie是value,按照书中代码,用indexOf()查找name属性时,会优先匹配到uservalue,而不是匹配到value。则最后返回的数据会有错误。
在这里,我的解决方法是将cookie按/;\s/分成若干个数组,然后再在数组中找出name,放完整版代码:
var CookieUtil = {
get : function(name){
var arr1 = decodeURIComponent(document.cookie).split(/;\s/);
var len = arr1.length;
var arr2 = new Array();
for(var i = 0; i < len ; i++){
arr2=arr1[i].split("=");
if(arr2[0] == name){
return arr2[1];
}
}
return "";
},
set : function( name, value, expires, path, domain, secure){
var cookieText = encodeURIComponent(name) + "=" +encodeURIComponent(value);
if(expires instanceof Date){
cookieText += "; expires = " + expires.toGMTString;
}
if(path){
cookieText += "; path = " + path;
}
if(domain){
cookieText += "; domain = " + domain;
}
if(secure){
cookieText += "; secure = " + secure;
}
document.cookie = cookieText;
},
unset: function(name, path, domain, secure){
this.set(name,"",new Date(0), path, domain, secure);
}
};