Merge commit from fork

yusukebe · web-flow · commit a586cd72e3f6 · 2026-04-07T13:07:50.000+09:00
diff --git a/src/utils/cookie.test.ts b/src/utils/cookie.test.ts
@@ -294,6 +294,18 @@ describe('Set cookie', () => {
     }).toThrowError('path must not contain ";", "\\r", or "\\n"')
   })
 
+  it('Should throw Error for invalid cookie name', () => {
+    expect(() => {
+      serialize('legit\r\nX-Injected: evil', 'value')
+    }).toThrowError('Invalid cookie name')
+    expect(() => {
+      serialize('bad;name', 'value')
+    }).toThrowError('Invalid cookie name')
+    expect(() => {
+      serialize('bad=name', 'value')
+    }).toThrowError('Invalid cookie name')
+  })
+
   it('Should serialize cookie with lowercase priority values', () => {
     const lowSerialized = serialize('test_cookie', 'value', {
       priority: 'low',
diff --git a/src/utils/cookie.ts b/src/utils/cookie.ts
@@ -139,6 +139,10 @@ export const parseSigned = async (
 }
 
 const _serialize = (name: string, value: string, opt: CookieOptions = {}): string => {
+  if (!validCookieNameRegEx.test(name)) {
+    throw new Error('Invalid cookie name')
+  }
+
   let cookie = `${name}=${value}`
 
   if (name.startsWith('__Secure-') && !opt.secure) {

Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,10 @@ export const parseSigned = async (`
`139`	`139`	`}`
`140`	`140`
`141`	`141`	`const _serialize = (name: string, value: string, opt: CookieOptions = {}): string => {`
	`142`	`+ if (!validCookieNameRegEx.test(name)) {`
	`143`	`+ throw new Error('Invalid cookie name')`
	`144`	`+ }`
	`145`	`+`
`142`	`146`	let cookie = `${name}=${value}`
`143`	`147`
`144`	`148`	`if (name.startsWith('__Secure-') && !opt.secure) {`