Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
query-string
Advanced tools
The query-string npm package is used for parsing and stringifying URL query strings. It provides a simple API for dealing with query strings in a way that is both convenient and cross-browser compatible.
Parsing query strings
This feature allows you to parse a query string into an object. It automatically handles various edge cases and decoding of parameters.
const queryString = require('query-string');
const parsed = queryString.parse('?foo=bar');
console.log(parsed); //=> {foo: 'bar'}
Stringifying objects
This feature enables you to take an object and convert it into a URL query string. It ensures that keys and values are properly encoded.
const queryString = require('query-string');
const stringified = queryString.stringify({foo: 'bar'});
console.log(stringified); //=> 'foo=bar'
Extracting query strings
This function extracts the query string from a URL.
const queryString = require('query-string');
const extracted = queryString.extract('http://example.com/?foo=bar');
console.log(extracted); //=> '?foo=bar'
Parsing arrays and objects
The package can parse query strings with array and object syntax, turning them into the corresponding JavaScript structures.
const queryString = require('query-string');
const parsed = queryString.parse('?foo[]=bar&foo[]=baz');
console.log(parsed); //=> {foo: ['bar', 'baz']}
The 'qs' package is a query string parser with nesting support. It is more feature-rich than query-string, allowing for complex structures like nested objects and arrays. However, it might be overkill for simple use cases.
This is a polyfill for the URLSearchParams API which is built into modern browsers. It provides similar functionality to query-string but is designed to mimic the native browser API.
querystringify is a small and simple query string parser and stringifier. It is focused on speed and simplicity, and while it has fewer features than query-string, it may be faster in some cases.
Parse and stringify URL query strings
$ npm install query-string
This module targets Node.js 6 or later and the latest version of Chrome, Firefox, and Safari. If you want support for older browsers, or, if your project is using create-react-app v1, use version 5: npm install query-string@5
.
const queryString = require('query-string');
console.log(location.search);
//=> '?foo=bar'
const parsed = queryString.parse(location.search);
console.log(parsed);
//=> {foo: 'bar'}
console.log(location.hash);
//=> '#token=bada55cafe'
const parsedHash = queryString.parse(location.hash);
console.log(parsedHash);
//=> {token: 'bada55cafe'}
parsed.foo = 'unicorn';
parsed.ilike = 'pizza';
const stringified = queryString.stringify(parsed);
//=> 'foo=unicorn&ilike=pizza'
location.search = stringified;
// note that `location.search` automatically prepends a question mark
console.log(location.search);
//=> '?foo=unicorn&ilike=pizza'
Parse a query string into an object. Leading ?
or #
are ignored, so you can pass location.search
or location.hash
directly.
The returned object is created with Object.create(null)
and thus does not have a prototype
.
Type: object
Type: boolean
Default: true
Decode the keys and values. URL components are decoded with decode-uri-component
.
Type: string
Default: 'none'
'bracket'
: Parse arrays with bracket representation:const queryString = require('query-string');
queryString.parse('foo[]=1&foo[]=2&foo[]=3', {arrayFormat: 'bracket'});
//=> {foo: ['1', '2', '3']}
'index'
: Parse arrays with index representation:const queryString = require('query-string');
queryString.parse('foo[0]=1&foo[1]=2&foo[3]=3', {arrayFormat: 'index'});
//=> {foo: ['1', '2', '3']}
'comma'
: Parse arrays with elements separated by comma:const queryString = require('query-string');
queryString.parse('foo=1,2,3', {arrayFormat: 'comma'});
//=> {foo: ['1', '2', '3']}
'separator'
: Parse arrays with elements separated by a custom character:const queryString = require('query-string');
queryString.parse('foo=1|2|3', {arrayFormat: 'separator', arrayFormatSeparator: '|'});
//=> {foo: ['1', '2', '3']}
'none'
: Parse arrays with elements using duplicate keys:const queryString = require('query-string');
queryString.parse('foo=1&foo=2&foo=3');
//=> {foo: ['1', '2', '3']}
Type: string
Default: ','
The character used to separate array elements when using {arrayFormat: 'separator'}
.
Type: Function | boolean
Default: true
Supports both Function
as a custom sorting function or false
to disable sorting.
Type: boolean
Default: false
const queryString = require('query-string');
queryString.parse('foo=1', {parseNumbers: true});
//=> {foo: 1}
Parse the value as a number type instead of string type if it's a number.
Type: boolean
Default: false
const queryString = require('query-string');
queryString.parse('foo=true', {parseBooleans: true});
//=> {foo: true}
Parse the value as a boolean type instead of string type if it's a boolean.
Stringify an object into a query string and sorting the keys.
Type: object
Type: boolean
Default: true
Strictly encode URI components with strict-uri-encode. It uses encodeURIComponent if set to false. You probably don't care about this option.
Type: boolean
Default: true
URL encode the keys and values.
Type: string
Default: 'none'
'bracket'
: Serialize arrays using bracket representation:const queryString = require('query-string');
queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'bracket'});
//=> 'foo[]=1&foo[]=2&foo[]=3'
'index'
: Serialize arrays using index representation:const queryString = require('query-string');
queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'index'});
//=> 'foo[0]=1&foo[1]=2&foo[2]=3'
'comma'
: Serialize arrays by separating elements with comma:const queryString = require('query-string');
queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'comma'});
//=> 'foo=1,2,3'
'none'
: Serialize arrays by using duplicate keys:const queryString = require('query-string');
queryString.stringify({foo: [1, 2, 3]});
//=> 'foo=1&foo=2&foo=3'
Type: string
Default: ','
The character used to separate array elements when using {arrayFormat: 'separator'}
.
Type: Function | boolean
Supports both Function
as a custom sorting function or false
to disable sorting.
const queryString = require('query-string');
const order = ['c', 'a', 'b'];
queryString.stringify({a: 1, b: 2, c: 3}, {
sort: (a, b) => order.indexOf(a) - order.indexOf(b)
});
//=> 'c=3&a=1&b=2'
const queryString = require('query-string');
queryString.stringify({b: 1, c: 2, a: 3}, {sort: false});
//=> 'b=1&c=2&a=3'
If omitted, keys are sorted using Array#sort()
, which means, converting them to strings and comparing strings in Unicode code point order.
Skip keys with null
as the value.
Note that keys with undefined
as the value are always skipped.
Type: boolean
Default: false
const queryString = require('query-string');
queryString.stringify({a: 1, b: undefined, c: null, d: 4}, {
skipNull: true
});
//=> 'a=1&d=4'
const queryString = require('query-string');
queryString.stringify({a: undefined, b: null}, {
skipNull: true
});
//=> ''
Skip keys with an empty string as the value.
Type: boolean
Default: false
const queryString = require('query-string');
queryString.stringify({a: 1, b: '', c: '', d: 4}, {
skipEmptyString: true
});
//=> 'a=1&d=4'
const queryString = require('query-string');
queryString.stringify({a: '', b: ''}, {
skipEmptyString: true
});
//=> ''
Extract a query string from a URL that can be passed into .parse()
.
Note: This behaviour can be changed with the skipNull
option.
Extract the URL and the query string as an object.
Returns an object with a url
and query
property.
If the parseFragmentIdentifier
option is true
, the object will also contain a fragmentIdentifier
property.
const queryString = require('query-string');
queryString.parseUrl('https://foo.bar?foo=bar');
//=> {url: 'https://foo.bar', query: {foo: 'bar'}}
queryString.parseUrl('https://foo.bar?foo=bar#xyz', {parseFragmentIdentifier: true});
//=> {url: 'https://foo.bar', query: {foo: 'bar'}, fragmentIdentifier: 'xyz'}
Type: object
The options are the same as for .parse()
.
Extra options are as below.
Parse the fragment identifier from the URL.
Type: boolean
Default: false
const queryString = require('query-string');
queryString.parseUrl('https://foo.bar?foo=bar#xyz', {parseFragmentIdentifier: true});
//=> {url: 'https://foo.bar', query: {foo: 'bar'}, fragmentIdentifier: 'xyz'}
Stringify an object into a URL with a query string and sorting the keys. The inverse of .parseUrl()
The options
are the same as for .stringify()
.
Returns a string with the URL and a query string.
Query items in the query
property overrides queries in the url
property.
The fragmentIdentifier
property overrides the fragment identifier in the url
property.
queryString.stringifyUrl({url: 'https://foo.bar', query: {foo: 'bar'}});
//=> 'https://foo.bar?foo=bar'
queryString.stringifyUrl({url: 'https://foo.bar?foo=baz', query: {foo: 'bar'}});
//=> 'https://foo.bar?foo=bar'
queryString.stringifyUrl({
url: 'https://foo.bar',
query: {
top: 'foo'
},
fragmentIdentifier: 'bar'
});
//=> 'https://foo.bar?top=foo#bar'
Type: object
Type: string
The URL to stringify.
Type: object
Query items to add to the URL.
Pick query parameters from a URL.
Returns a string with the new URL.
const queryString = require('query-string');
queryString.pick('https://foo.bar?foo=1&bar=2#hello', ['foo']);
//=> 'https://foo.bar?foo=1#hello'
queryString.pick('https://foo.bar?foo=1&bar=2#hello', (name, value) => value === 2, {parseNumbers: true});
//=> 'https://foo.bar?bar=2#hello'
Exclude query parameters from a URL.
Returns a string with the new URL.
const queryString = require('query-string');
queryString.exclude('https://foo.bar?foo=1&bar=2#hello', ['foo']);
//=> 'https://foo.bar?bar=2#hello'
queryString.exclude('https://foo.bar?foo=1&bar=2#hello', (name, value) => value === 2, {parseNumbers: true});
//=> 'https://foo.bar?foo=1#hello'
Type: string
The URL containing the query parameters to filter.
Type: string[]
The names of the query parameters to filter based on the function used.
Type: (key, value) => boolean
A filter predicate that will be provided the name of each query parameter and its value. The parseNumbers
and parseBooleans
options also affect value
.
Type: object
Parse options and stringify options.
This module intentionally doesn't support nesting as it's not spec'd and varies between implementations, which causes a lot of edge cases.
You're much better off just converting the object to a JSON string:
const queryString = require('query-string');
queryString.stringify({
foo: 'bar',
nested: JSON.stringify({
unicorn: 'cake'
})
});
//=> 'foo=bar&nested=%7B%22unicorn%22%3A%22cake%22%7D'
However, there is support for multiple instances of the same key:
const queryString = require('query-string');
queryString.parse('likes=cake&name=bob&likes=icecream');
//=> {likes: ['cake', 'icecream'], name: 'bob'}
queryString.stringify({color: ['taupe', 'chartreuse'], id: '515'});
//=> 'color=taupe&color=chartreuse&id=515'
Sometimes you want to unset a key, or maybe just make it present without assigning a value to it. Here is how falsy values are stringified:
const queryString = require('query-string');
queryString.stringify({foo: false});
//=> 'foo=false'
queryString.stringify({foo: null});
//=> 'foo'
queryString.stringify({foo: undefined});
//=> ''
Available as part of the Tidelift Subscription.
The maintainers of query-string and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.
FAQs
Parse and stringify URL query strings
The npm package query-string receives a total of 12,368,855 weekly downloads. As such, query-string popularity was classified as popular.
We found that query-string demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.