Skip to content

Instantly share code, notes, and snippets.

Last active December 16, 2015 15:00
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
JWPlayer 7 saves UTF-8 cookies without encoding them as per RFC6265. Invalid cookies cause critical server issue with Tomcat Java.
<p>If you use non-ASCII characters as a "caption label" (ie, "<tt>Español</tt>"), JWPlayer saves the unencoded value in a cookie (<tt>jwplayer.captionLabel=Español</tt>). I found information on adding caption tracks here:<br>
<a href="" target="_blank"></a></p>
<p>More Info on allowable characters here:<br>
<a href="" target="_blank"></a></p>
<p>This RFC6265 non-compliant cookie value is currently causing problems with ColdFusion 10/11 using TomCat 7. Any request to the Java platform with an invalid cookie will cause a 500 Server error.<br>
<a href="" target="_blank"></a></p>
<p>It's a standard practice to display language choices in the language of the speaker/reader, but saving the unicode value directly without using Javascript's "<tt>encodeURIComponent</tt>" should be avoided.</p>
<p>[UPDATE 12/16/2015] On 11/19/2015 (less than 30 days after reporting this), <a href="">JWPlayer 7.2</a> was released and all settings are now saved using local storage.</p>
<p>[UPDATE 12/16/2015] Adobe ColdFusion was notified about this issue at the same time. New <a href="">CF 10/11 patches</a> were released on 11/17/2015, but this issue probably wasn't fixed. (I can't test it anywhere yet.)</p>
<p>To see if your ColdFusion server is vulnerable, add the following javascript to your website. If you add this JS to, you wan't be able to access CF any more.</p>
&lt;script type="text/javascript"&gt;
document.cookie = "lang=Español";
<p>Here's the offending JWPlayer caption label.</p>
&lt;script type="text/javascript"&gt;
file: '',
image: '',
title: 'Demo',
width: '100%',
aspectratio: '4:3'
cookies: true,
tracks: [{
file: "/jwplayer_en.vtt",
label: 'English',
kind: 'captions',
file: "/jwplayer_es.vtt",
label: '<span style="background-color:#ff0;">Español</span>',
kind: 'captions'
<p>The above configuration causes JWPlayer to generate a "<tt>jwplayer.captionLabel=Español</tt>" cookie when switching to Spanish. After the invalid cookie is created, no new web requests to the ColdFusion 10/11 Tomcat server can be processed.</p>
<p><b>SOLUTION:</b> Use <tt>encodeURIComponent</tt> so that the value is properly enocoded as "Espa%C3%B1ol". (NOTE: <tt>encodeURIComponent</tt> is already being used in the JWPlayer Javascript library. It should be used when saving cookies.)</p>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment