3 A querystring parsing and stringifying library with some added security.
5 [![Build Status](https://api.travis-ci.org/ljharb/qs.svg)](http://travis-ci.org/ljharb/qs)
7 Lead Maintainer: [Jordan Harband](https://github.com/ljharb)
9 The **qs** module was originally created and maintained by [TJ Holowaychuk](https://github.com/visionmedia/node-querystring).
14 var qs = require('qs');
15 var assert = require('assert');
17 var obj = qs.parse('a=c');
18 assert.deepEqual(obj, { a: 'c' });
20 var str = qs.stringify(obj);
21 assert.equal(str, 'a=c');
28 qs.parse(string, [options]);
31 **qs** allows you to create nested objects within your query strings, by surrounding the name of sub-keys with square brackets `[]`.
32 For example, the string `'foo[bar]=baz'` converts to:
35 assert.deepEqual(qs.parse('foo[bar]=baz'), {
42 When using the `plainObjects` option the parsed value is returned as a plain object, created via `Object.create(null)` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like:
45 var plainObject = qs.parse('a[hasOwnProperty]=b', { plainObjects: true });
46 assert.deepEqual(plainObject, { a: { hasOwnProperty: 'b' } });
49 By default parameters that would overwrite properties on the object prototype are ignored, if you wish to keep the data from those fields either use `plainObjects` as mentioned above, or set `allowPrototypes` to `true` which will allow user input to overwrite those properties. *WARNING* It is generally a bad idea to enable this option as it can cause problems when attempting to use the properties that have been overwritten. Always be careful with this option.
52 var protoObject = qs.parse('a[hasOwnProperty]=b', { allowPrototypes: true });
53 assert.deepEqual(protoObject, { a: { hasOwnProperty: 'b' } });
56 URI encoded strings work too:
59 assert.deepEqual(qs.parse('a%5Bb%5D=c'), {
64 You can also nest your objects, like `'foo[bar][baz]=foobarbaz'`:
67 assert.deepEqual(qs.parse('foo[bar][baz]=foobarbaz'), {
76 By default, when nesting objects **qs** will only parse up to 5 children deep. This means if you attempt to parse a string like
77 `'a[b][c][d][e][f][g][h][i]=j'` your resulting object will be:
95 var string = 'a[b][c][d][e][f][g][h][i]=j';
96 assert.deepEqual(qs.parse(string), expected);
99 This depth can be overridden by passing a `depth` option to `qs.parse(string, [options])`:
102 var deep = qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1 });
103 assert.deepEqual(deep, { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } });
106 The depth limit helps mitigate abuse when **qs** is used to parse user input, and it is recommended to keep it a reasonably small number.
108 For similar reasons, by default **qs** will only parse up to 1000 parameters. This can be overridden by passing a `parameterLimit` option:
111 var limited = qs.parse('a=b&c=d', { parameterLimit: 1 });
112 assert.deepEqual(limited, { a: 'b' });
115 An optional delimiter can also be passed:
118 var delimited = qs.parse('a=b;c=d', { delimiter: ';' });
119 assert.deepEqual(delimited, { a: 'b', c: 'd' });
122 Delimiters can be a regular expression too:
125 var regexed = qs.parse('a=b;c=d,e=f', { delimiter: /[;,]/ });
126 assert.deepEqual(regexed, { a: 'b', c: 'd', e: 'f' });
129 Option `allowDots` can be used to enable dot notation:
132 var withDots = qs.parse('a.b=c', { allowDots: true });
133 assert.deepEqual(withDots, { a: { b: 'c' } });
138 **qs** can also parse arrays using a similar `[]` notation:
141 var withArray = qs.parse('a[]=b&a[]=c');
142 assert.deepEqual(withArray, { a: ['b', 'c'] });
145 You may specify an index as well:
148 var withIndexes = qs.parse('a[1]=c&a[0]=b');
149 assert.deepEqual(withIndexes, { a: ['b', 'c'] });
152 Note that the only difference between an index in an array and a key in an object is that the value between the brackets must be a number
153 to create an array. When creating arrays with specific indices, **qs** will compact a sparse array to only the existing values preserving
157 var noSparse = qs.parse('a[1]=b&a[15]=c');
158 assert.deepEqual(noSparse, { a: ['b', 'c'] });
161 Note that an empty string is also a value, and will be preserved:
164 var withEmptyString = qs.parse('a[]=&a[]=b');
165 assert.deepEqual(withEmptyString, { a: ['', 'b'] });
167 var withIndexedEmptyString = qs.parse('a[0]=b&a[1]=&a[2]=c');
168 assert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });
171 **qs** will also limit specifying indices in an array to a maximum index of `20`. Any array members with an index of greater than `20` will
172 instead be converted to an object with the index as the key:
175 var withMaxIndex = qs.parse('a[100]=b');
176 assert.deepEqual(withMaxIndex, { a: { '100': 'b' } });
179 This limit can be overridden by passing an `arrayLimit` option:
182 var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });
183 assert.deepEqual(withArrayLimit, { a: { '1': 'b' } });
186 To disable array parsing entirely, set `parseArrays` to `false`.
189 var noParsingArrays = qs.parse('a[]=b', { parseArrays: false });
190 assert.deepEqual(noParsingArrays, { a: { '0': 'b' } });
193 If you mix notations, **qs** will merge the two items into an object:
196 var mixedNotation = qs.parse('a[0]=b&a[b]=c');
197 assert.deepEqual(mixedNotation, { a: { '0': 'b', b: 'c' } });
200 You can also create arrays of objects:
203 var arraysOfObjects = qs.parse('a[][b]=c');
204 assert.deepEqual(arraysOfObjects, { a: [{ b: 'c' }] });
211 qs.stringify(object, [options]);
214 When stringifying, **qs** by default URI encodes output. Objects are stringified as you would expect:
217 assert.equal(qs.stringify({ a: 'b' }), 'a=b');
218 assert.equal(qs.stringify({ a: { b: 'c' } }), 'a%5Bb%5D=c');
221 This encoding can be disabled by setting the `encode` option to `false`:
224 var unencoded = qs.stringify({ a: { b: 'c' } }, { encode: false });
225 assert.equal(unencoded, 'a[b]=c');
228 This encoding can also be replaced by a custom encoding method set as `encoder` option:
231 var encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str) {
232 // Passed in values `a`, `b`, `c`
233 return // Return encoded string
237 _(Note: the `encoder` option does not apply if `encode` is `false`)_
239 Analogue to the `encoder` there is a `decoder` option for `parse` to override decoding of properties and values:
242 var decoded = qs.parse('x=z', { decoder: function (str) {
243 // Passed in values `x`, `z`
244 return // Return decoded string
248 Examples beyond this point will be shown as though the output is not URI encoded for clarity. Please note that the return values in these cases *will* be URI encoded during real usage.
250 When arrays are stringified, by default they are given explicit indices:
253 qs.stringify({ a: ['b', 'c', 'd'] });
254 // 'a[0]=b&a[1]=c&a[2]=d'
257 You may override this by setting the `indices` option to `false`:
260 qs.stringify({ a: ['b', 'c', 'd'] }, { indices: false });
264 You may use the `arrayFormat` option to specify the format of the output array
267 qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'indices' })
269 qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'brackets' })
271 qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'repeat' })
275 Empty strings and null values will omit the value, but the equals sign (=) remains in place:
278 assert.equal(qs.stringify({ a: '' }), 'a=');
281 Properties that are set to `undefined` will be omitted entirely:
284 assert.equal(qs.stringify({ a: null, b: undefined }), 'a=');
287 The delimiter may be overridden with stringify as well:
290 assert.equal(qs.stringify({ a: 'b', c: 'd' }, { delimiter: ';' }), 'a=b;c=d');
293 Finally, you can use the `filter` option to restrict which keys will be included in the stringified output.
294 If you pass a function, it will be called for each key to obtain the replacement value. Otherwise, if you
295 pass an array, it will be used to select properties and array indices for stringification:
298 function filterFunc(prefix, value) {
300 // Return an `undefined` value to omit a property.
303 if (prefix == 'e[f]') {
304 return value.getTime();
306 if (prefix == 'e[g][0]') {
311 qs.stringify({ a: 'b', c: 'd', e: { f: new Date(123), g: [2] } }, { filter: filterFunc });
312 // 'a=b&c=d&e[f]=123&e[g][0]=4'
313 qs.stringify({ a: 'b', c: 'd', e: 'f' }, { filter: ['a', 'e'] });
315 qs.stringify({ a: ['b', 'c', 'd'], e: 'f' }, { filter: ['a', 0, 2] });
319 ### Handling of `null` values
321 By default, `null` values are treated like empty strings:
324 var withNull = qs.stringify({ a: null, b: '' });
325 assert.equal(withNull, 'a=&b=');
328 Parsing does not distinguish between parameters with and without equal signs. Both are converted to empty strings.
331 var equalsInsensitive = qs.parse('a&b=');
332 assert.deepEqual(equalsInsensitive, { a: '', b: '' });
335 To distinguish between `null` values and empty strings use the `strictNullHandling` flag. In the result string the `null`
336 values have no `=` sign:
339 var strictNull = qs.stringify({ a: null, b: '' }, { strictNullHandling: true });
340 assert.equal(strictNull, 'a&b=');
343 To parse values without `=` back to `null` use the `strictNullHandling` flag:
346 var parsedStrictNull = qs.parse('a&b=', { strictNullHandling: true });
347 assert.deepEqual(parsedStrictNull, { a: null, b: '' });
350 To completely skip rendering keys with `null` values, use the `skipNulls` flag:
353 var nullsSkipped = qs.stringify({ a: 'b', c: null}, { skipNulls: true });
354 assert.equal(nullsSkipped, 'a=b');
357 ### Dealing with special character sets
359 By default the encoding and decoding of characters is done in `utf-8`. If you
360 wish to encode querystrings to a different character set (i.e.
361 [Shift JIS](https://en.wikipedia.org/wiki/Shift_JIS)) you can use the
362 [`qs-iconv`](https://github.com/martinheidegger/qs-iconv) library:
365 var encoder = require('qs-iconv/encoder')('shift_jis');
366 var shiftJISEncoded = qs.stringify({ a: 'こんにちは!' }, { encoder: encoder });
367 assert.equal(shiftJISEncoded, 'a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I');
370 This also works for decoding of query strings:
373 var decoder = require('qs-iconv/decoder')('shift_jis');
374 var obj = qs.parse('a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I', { decoder: decoder });
375 assert.deepEqual(obj, { a: 'こんにちは!' });