+2001-06-18 Hrvoje Niksic <hniksic@arsdigita.com>
+
+ * cookies.c (ATTR_NAME_CHAR): Allow almost any character to be in
+ an attribute name.
+
2001-06-18 Hrvoje Niksic <hniksic@arsdigita.com>
* url.c (url_filename): Make sure that slashes that sneak in to
#undef NAME_IS
/* Returns non-zero for characters that are legal in the name of an
- attribute. */
-
-#define ATTR_NAME_CHAR(c) (ISALNUM (c) || (c) == '-' || (c) == '_')
+ attribute. This used to allow only alphanumerics, '-', and '_',
+ but we need to be more lenient because a number of sites wants to
+ use weirder attribute names. rfc2965 "informally specifies"
+ attribute name (token) as "a sequence of non-special, non-white
+ space characters". So we allow everything except the stuff we know
+ could harm us. */
+
+#define ATTR_NAME_CHAR(c) ((c) > 32 && (c) < 127 \
+ && (c) != '"' && (c) != '=' \
+ && (c) != ';' && (c) != ',')
/* Fetch the next character without doing anything special if CH gets
set to 0. (The code executed next is expected to handle it.) */