You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

222 lines
4.9 KiB

7 years ago
  1. # qs
  2. A querystring parsing and stringifying library with some added security.
  3. [![Build Status](https://secure.travis-ci.org/hapijs/qs.svg)](http://travis-ci.org/hapijs/qs)
  4. Lead Maintainer: [Nathan LaFreniere](https://github.com/nlf)
  5. The **qs** module was originally created and maintained by [TJ Holowaychuk](https://github.com/visionmedia/node-querystring).
  6. ## Usage
  7. ```javascript
  8. var Qs = require('qs');
  9. var obj = Qs.parse('a=c'); // { a: 'c' }
  10. var str = Qs.stringify(obj); // 'a=c'
  11. ```
  12. ### Parsing Objects
  13. ```javascript
  14. Qs.parse(string, [options]);
  15. ```
  16. **qs** allows you to create nested objects within your query strings, by surrounding the name of sub-keys with square brackets `[]`.
  17. For example, the string `'foo[bar]=baz'` converts to:
  18. ```javascript
  19. {
  20. foo: {
  21. bar: 'baz'
  22. }
  23. }
  24. ```
  25. URI encoded strings work too:
  26. ```javascript
  27. Qs.parse('a%5Bb%5D=c');
  28. // { a: { b: 'c' } }
  29. ```
  30. You can also nest your objects, like `'foo[bar][baz]=foobarbaz'`:
  31. ```javascript
  32. {
  33. foo: {
  34. bar: {
  35. baz: 'foobarbaz'
  36. }
  37. }
  38. }
  39. ```
  40. By default, when nesting objects **qs** will only parse up to 5 children deep. This means if you attempt to parse a string like
  41. `'a[b][c][d][e][f][g][h][i]=j'` your resulting object will be:
  42. ```javascript
  43. {
  44. a: {
  45. b: {
  46. c: {
  47. d: {
  48. e: {
  49. f: {
  50. '[g][h][i]': 'j'
  51. }
  52. }
  53. }
  54. }
  55. }
  56. }
  57. }
  58. ```
  59. This depth can be overridden by passing a `depth` option to `Qs.parse(string, [options])`:
  60. ```javascript
  61. Qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1 });
  62. // { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } }
  63. ```
  64. The depth limit helps mitigate abuse when **qs** is used to parse user input, and it is recommended to keep it a reasonably small number.
  65. For similar reasons, by default **qs** will only parse up to 1000 parameters. This can be overridden by passing a `parameterLimit` option:
  66. ```javascript
  67. Qs.parse('a=b&c=d', { parameterLimit: 1 });
  68. // { a: 'b' }
  69. ```
  70. An optional delimiter can also be passed:
  71. ```javascript
  72. Qs.parse('a=b;c=d', { delimiter: ';' });
  73. // { a: 'b', c: 'd' }
  74. ```
  75. Delimiters can be a regular expression too:
  76. ```javascript
  77. Qs.parse('a=b;c=d,e=f', { delimiter: /[;,]/ });
  78. // { a: 'b', c: 'd', e: 'f' }
  79. ```
  80. ### Parsing Arrays
  81. **qs** can also parse arrays using a similar `[]` notation:
  82. ```javascript
  83. Qs.parse('a[]=b&a[]=c');
  84. // { a: ['b', 'c'] }
  85. ```
  86. You may specify an index as well:
  87. ```javascript
  88. Qs.parse('a[1]=c&a[0]=b');
  89. // { a: ['b', 'c'] }
  90. ```
  91. Note that the only difference between an index in an array and a key in an object is that the value between the brackets must be a number
  92. to create an array. When creating arrays with specific indices, **qs** will compact a sparse array to only the existing values preserving
  93. their order:
  94. ```javascript
  95. Qs.parse('a[1]=b&a[15]=c');
  96. // { a: ['b', 'c'] }
  97. ```
  98. Note that an empty string is also a value, and will be preserved:
  99. ```javascript
  100. Qs.parse('a[]=&a[]=b');
  101. // { a: ['', 'b'] }
  102. Qs.parse('a[0]=b&a[1]=&a[2]=c');
  103. // { a: ['b', '', 'c'] }
  104. ```
  105. **qs** will also limit specifying indices in an array to a maximum index of `20`. Any array members with an index of greater than `20` will
  106. instead be converted to an object with the index as the key:
  107. ```javascript
  108. Qs.parse('a[100]=b');
  109. // { a: { '100': 'b' } }
  110. ```
  111. This limit can be overridden by passing an `arrayLimit` option:
  112. ```javascript
  113. Qs.parse('a[1]=b', { arrayLimit: 0 });
  114. // { a: { '1': 'b' } }
  115. ```
  116. To disable array parsing entirely, set `arrayLimit` to `-1`.
  117. If you mix notations, **qs** will merge the two items into an object:
  118. ```javascript
  119. Qs.parse('a[0]=b&a[b]=c');
  120. // { a: { '0': 'b', b: 'c' } }
  121. ```
  122. You can also create arrays of objects:
  123. ```javascript
  124. Qs.parse('a[][b]=c');
  125. // { a: [{ b: 'c' }] }
  126. ```
  127. ### Stringifying
  128. ```javascript
  129. Qs.stringify(object, [options]);
  130. ```
  131. When stringifying, **qs** always URI encodes output. Objects are stringified as you would expect:
  132. ```javascript
  133. Qs.stringify({ a: 'b' });
  134. // 'a=b'
  135. Qs.stringify({ a: { b: 'c' } });
  136. // 'a%5Bb%5D=c'
  137. ```
  138. Examples beyond this point will be shown as though the output is not URI encoded for clarity. Please note that the return values in these cases *will* be URI encoded during real usage.
  139. When arrays are stringified, by default they are given explicit indices:
  140. ```javascript
  141. Qs.stringify({ a: ['b', 'c', 'd'] });
  142. // 'a[0]=b&a[1]=c&a[2]=d'
  143. ```
  144. You may override this by setting the `indices` option to `false`:
  145. ```javascript
  146. Qs.stringify({ a: ['b', 'c', 'd'] }, { indices: false });
  147. // 'a=b&a=c&a=d'
  148. ```
  149. Empty strings and null values will omit the value, but the equals sign (=) remains in place:
  150. ```javascript
  151. Qs.stringify({ a: '' });
  152. // 'a='
  153. ```
  154. Properties that are set to `undefined` will be omitted entirely:
  155. ```javascript
  156. Qs.stringify({ a: null, b: undefined });
  157. // 'a='
  158. ```
  159. The delimiter may be overridden with stringify as well:
  160. ```javascript
  161. Qs.stringify({ a: 'b', c: 'd' }, { delimiter: ';' });
  162. // 'a=b;c=d'
  163. ```