If a cookie is created with a " character in the content, the js_output
which is emitted is bad javascript. eg.
>>> import Cookie
>>> c=Cookie.Cookie('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
>>> print c
Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme; Version=1
>>> print c.js_output()

        <script type="text/javascript">
        <!-- begin hiding
        document.cookie = "Customer="WILE_E_COYOTE"; Path=/acme; Version=1";
        // end hiding -->
        </script>
        
>>> 

Also, the test_cookie tests (test_load) explicitly checks for this
(wrong) output.

I have attached a patch that seems to fix this or at the very least
produces the same Cookie settings whether the cookie is set using the
header or using javascript (I've verified this on firefox on Linux).

The patch looks correct but it breaks the unit test: updated patch 
fixes Lib/test/test_cookie.py.

A lot of the cookie tests need to be updated. A separate bug was filed
regarding this. http://bugs.python.org/issue3788. 

I'm working on that now and will apply your patch there as well.

The characters <>& should also be escaped.

What's wrong with < and >?

I can see the issues with ; though.

> What's wrong with < and >?

>>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output()

        <script type="text/javascript">
        <!-- begin hiding
        document.cookie = "Customer="</script>"";
        // end hiding -->
        </script>

It allows HTML/Javascript injection. Well, Python 2.5 already displays 
a warning:

/usr/lib/python2.5/Cookie.py:710: DeprecationWarning: 
Cookie/SmartCookie class is insecure; do not use it

The right fix is maybe to remove deprecated and unsecure function!

Cookie.Cookie is deprecated in Py2k. In Py3k, it is
http.cookies.SimpleCookie. The bug was present in Py3k, the attached
patch fixes it.

Because SimpleCookie class is still usable (that is not deprecated), it
makes sense to back port to Py2.7.
Applied the patches in revision 71030 and r71029. Thanks.