--wip-- [skip ci]

lukaselmer · lukaselmer · commit 39935cce0459 · 2025-10-30T13:22:28.000+01:00
diff --git a/HISTORY.md b/HISTORY.md
@@ -2,13 +2,16 @@ unreleased
 =========================
 
 * refactor: move common request validation to read function
-* deps: 
+* deps:
   * type-is@^2.0.1
   * iconv-lite@^0.7.0
     * Handle split surrogate pairs when encoding UTF-8
-    * Avoid false positives in `encodingExists` by using prototype-less objects 
+    * Avoid false positives in `encodingExists` by using prototype-less objects
   * raw-body@^3.0.1
   * debug@^4.4.3
+* `urlencoded` can now be configured to use a query parsing function provided by the user
+  * to restore the old behavior, use `urlencoded({ extended: qs.parse })`
+  * the default `qs` module is now replaced with the `node:querystring` module
 
 2.2.0 / 2025-03-27
 =========================
@@ -92,7 +95,7 @@ This incorporates all changes after 1.19.1 up to 1.20.2.
   * deps: qs@6.13.0
   * add `depth` option to customize the depth level in the parser
   * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)
- 
+
 1.20.2 / 2023-02-21
 ===================
 
diff --git a/README.md b/README.md
@@ -241,6 +241,16 @@ URL-encoded format, allowing for a JSON-like experience with URL-encoded. For
 more information, please [see the qs
 library](https://www.npmjs.org/package/qs#readme).
 
+To use `node:querystring` with extended parsing, use `urlencoded({ extended: true })`. In
+this mode `extendedParsing: true` is implied.
+
+To use `node:querystring` without extended parsing, use `urlencoded({ extended: false })`. In
+this mode `extendedParsing: false` is implied.
+
+To use a custom url parser like `qs`, use `urlencoded({ extended: qs.parse })`. In
+this mode `extendedParsing: true` is implied, but can be overridden by using
+`urlencoded({ extended: qs.parse, extendedParsing: false })`.
+
 Defaults to `false`.
 
 ##### inflate
diff --git a/lib/types/urlencoded.js b/lib/types/urlencoded.js
@@ -15,7 +15,6 @@
 var createError = require('http-errors')
 var debug = require('debug')('body-parser:urlencoded')
 var read = require('../read')
-var qs = require('qs')
 var { normalizeOptions } = require('../utils')
 
 /**
@@ -66,13 +65,16 @@ function urlencoded (options) {
  */
 
 function createQueryParser (options) {
-  var extended = Boolean(options?.extended)
+  var extendedOption = normalizeExtended(options?.extended, options?.extendedParsing)
+  var extendedFunction = extendedOption.extendedFunction
+  var extendedParsing = extendedOption.extendedParsing
+  var allowPrototypes = Boolean(options?.allowPrototypes)
   var parameterLimit = options?.parameterLimit !== undefined
     ? options?.parameterLimit
     : 1000
   var charsetSentinel = options?.charsetSentinel
   var interpretNumericEntities = options?.interpretNumericEntities
-  var depth = extended ? (options?.depth !== undefined ? options?.depth : 32) : 0
+  var depth = extendedParsing ? (options?.depth !== undefined ? options?.depth : 32) : 0
 
   if (isNaN(parameterLimit) || parameterLimit < 1) {
     throw new TypeError('option parameterLimit must be a positive number')
@@ -96,12 +98,12 @@ function createQueryParser (options) {
       })
     }
 
-    var arrayLimit = extended ? Math.max(100, paramCount) : 0
+    var arrayLimit = extendedParsing ? Math.max(100, paramCount) : 0
 
-    debug('parse ' + (extended ? 'extended ' : '') + 'urlencoding')
+    debug('parse ' + (extendedParsing ? 'extended ' : '') + 'urlencoding')
     try {
-      return qs.parse(body, {
-        allowPrototypes: true,
+      return extendedFunction(body, {
+        allowPrototypes: allowPrototypes,
         arrayLimit: arrayLimit,
         depth: depth,
         charsetSentinel: charsetSentinel,
@@ -122,6 +124,33 @@ function createQueryParser (options) {
   }
 }
 
+/**
+ * @param {Boolean | Function} extended
+ * @param {Boolean | null | undefined} extendedParsing
+ * @api private
+ */
+
+function normalizeExtended (extended, extendedParsing) {
+  var normalizedExtendedParsing = Boolean(extendedParsing || extendedParsing === undefined || extendedParsing === null)
+  if (typeof extended === 'function') {
+    return { extendedFunction: extended, extendedParsing: normalizedExtendedParsing }
+  }
+
+  var querystringParse = require('node:querystring').parse
+  var extendedFunction = (str, options) =>
+    querystringParse(str, undefined, undefined, { maxKeys: options.parameterLimit })
+
+  if (extended === true) {
+    return { extendedFunction: extendedFunction, extendedParsing: true }
+  }
+
+  if (extended === false || extended === undefined || extended === null) {
+    return { extendedFunction: extendedFunction, extendedParsing: false }
+  }
+
+  throw new TypeError('option extended must be a boolean or a function')
+}
+
 /**
  * Count the number of parameters, stopping once limit reached
  *
diff --git a/package.json b/package.json
@@ -19,7 +19,6 @@
     "http-errors": "^2.0.0",
     "iconv-lite": "^0.7.0",
     "on-finished": "^2.4.1",
-    "qs": "^6.14.0",
     "raw-body": "^3.0.1",
     "type-is": "^2.0.1"
   },
@@ -33,6 +32,7 @@
     "eslint-plugin-standard": "^4.1.0",
     "mocha": "^11.1.0",
     "nyc": "^17.1.0",
+    "qs": "^6.14.0",
     "supertest": "^7.0.0"
   },
   "files": [
diff --git a/test/urlencoded.js b/test/urlencoded.js
@@ -4,6 +4,7 @@ var assert = require('node:assert')
 var AsyncLocalStorage = require('node:async_hooks').AsyncLocalStorage
 var http = require('node:http')
 var request = require('supertest')
+var qs = require('qs')
 
 var bodyParser = require('..')
 
@@ -43,11 +44,14 @@ describe('bodyParser.urlencoded()', function () {
       .expect(200, '{}', done)
   })
 
-  var extendedValues = [true, false]
+  var extendedValues = [
+    { extended: qs.parse, extendedParsing: true },
+    { extended: qs.parse, extendedParsing: false }
+  ]
   extendedValues.forEach(function (extended) {
     describe('in ' + (extended ? 'extended' : 'simple') + ' mode', function () {
       it('should parse x-www-form-urlencoded with an explicit iso-8859-1 encoding', function (done) {
-        var server = createServer({ extended: extended })
+        var server = createServer({ ...extended })
         request(server)
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded; charset=iso-8859-1')
@@ -56,7 +60,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should parse x-www-form-urlencoded with unspecified iso-8859-1 encoding when the defaultCharset is set to iso-8859-1', function (done) {
-        var server = createServer({ defaultCharset: 'iso-8859-1', extended: extended })
+        var server = createServer({ defaultCharset: 'iso-8859-1', ...extended })
         request(server)
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
@@ -65,7 +69,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should parse x-www-form-urlencoded with an unspecified iso-8859-1 encoding when the utf8 sentinel has a value of %26%2310003%3B', function (done) {
-        var server = createServer({ charsetSentinel: true, extended: extended })
+        var server = createServer({ charsetSentinel: true, ...extended })
         request(server)
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
@@ -74,7 +78,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should parse x-www-form-urlencoded with an unspecified utf-8 encoding when the utf8 sentinel has a value of %E2%9C%93 and the defaultCharset is iso-8859-1', function (done) {
-        var server = createServer({ charsetSentinel: true, extended: extended })
+        var server = createServer({ charsetSentinel: true, ...extended })
         request(server)
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
@@ -83,7 +87,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should not leave an empty string parameter when removing the utf8 sentinel from the start of the string', function (done) {
-        var server = createServer({ charsetSentinel: true, extended: extended })
+        var server = createServer({ charsetSentinel: true, ...extended })
         request(server)
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
@@ -92,7 +96,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should not leave an empty string parameter when removing the utf8 sentinel from the middle of the string', function (done) {
-        var server = createServer({ charsetSentinel: true, extended: extended })
+        var server = createServer({ charsetSentinel: true, ...extended })
         request(server)
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
@@ -101,7 +105,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should not leave an empty string parameter when removing the utf8 sentinel from the end of the string', function (done) {
-        var server = createServer({ charsetSentinel: true, extended: extended })
+        var server = createServer({ charsetSentinel: true, ...extended })
         request(server)
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
@@ -160,10 +164,10 @@ describe('bodyParser.urlencoded()', function () {
       .expect(200, '{"user[name][first]":"Tobi"}', done)
   })
 
-  describe('with extended option', function () {
-    describe('when false', function () {
+  describe('with extendedParsing option', function () {
+    describe('with qs.parse when false', function () {
       before(function () {
-        this.server = createServer({ extended: false })
+        this.server = createServer({ extended: qs.parse, extendedParsing: false })
       })
 
       it('should not parse extended syntax', function (done) {
@@ -183,9 +187,9 @@ describe('bodyParser.urlencoded()', function () {
       })
     })
 
-    describe('when true', function () {
+    describe('with qs.parse when true', function () {
       before(function () {
-        this.server = createServer({ extended: true })
+        this.server = createServer({ extended: qs.parse })
       })
 
       it('should parse multiple key instances', function (done) {
@@ -296,7 +300,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should parse up to the specified depth', function (done) {
-        this.server = createServer({ extended: true, depth: 10 })
+        this.server = createServer({ extended: qs.parse, depth: 10 }) // TODO: test extended: true
         request(this.server)
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
@@ -305,7 +309,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should not parse beyond the specified depth', function (done) {
-        this.server = createServer({ extended: true, depth: 1 })
+        this.server = createServer({ extended: qs.parse, depth: 1 })
         request(this.server)
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
@@ -316,7 +320,7 @@ describe('bodyParser.urlencoded()', function () {
 
     describe('when default value', function () {
       before(function () {
-        this.server = createServer({ extended: true })
+        this.server = createServer({ extended: qs.parse })
       })
 
       it('should parse deeply nested objects', function (done) {
@@ -462,27 +466,27 @@ describe('bodyParser.urlencoded()', function () {
   })
 
   describe('with parameterLimit option', function () {
-    describe('with extended: false', function () {
+    describe('with extended: qs.parse, extendedParsing: false', function () {
       it('should reject 0', function () {
-        assert.throws(createServer.bind(null, { extended: false, parameterLimit: 0 }),
+        assert.throws(createServer.bind(null, { extended: qs.parse, extendedParsing: false, parameterLimit: 0 }),
           /TypeError: option parameterLimit must be a positive number/)
       })
 
       it('should reject string', function () {
-        assert.throws(createServer.bind(null, { extended: false, parameterLimit: 'beep' }),
+        assert.throws(createServer.bind(null, { extended: qs.parse, extendedParsing: false, parameterLimit: 'beep' }),
           /TypeError: option parameterLimit must be a positive number/)
       })
 
       it('should 413 if over limit', function (done) {
-        request(createServer({ extended: false, parameterLimit: 10 }))
+        request(createServer({ extended: qs.parse, extendedParsing: false, parameterLimit: 10 }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(11))
           .expect(413, '[parameters.too.many] too many parameters', done)
       })
 
       it('should work when at the limit', function (done) {
-        request(createServer({ extended: false, parameterLimit: 10 }))
+        request(createServer({ extended: qs.parse, extendedParsing: false, parameterLimit: 10 }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(10))
@@ -491,15 +495,15 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should work if number is floating point', function (done) {
-        request(createServer({ extended: false, parameterLimit: 10.1 }))
+        request(createServer({ extended: qs.parse, extendedParsing: false, parameterLimit: 10.1 }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(11))
           .expect(413, /too many parameters/, done)
       })
 
       it('should work with large limit', function (done) {
-        request(createServer({ extended: false, parameterLimit: 5000 }))
+        request(createServer({ extended: qs.parse, extendedParsing: false, parameterLimit: 5000 }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(5000))
@@ -508,7 +512,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should work with Infinity limit', function (done) {
-        request(createServer({ extended: false, parameterLimit: Infinity }))
+        request(createServer({ extended: qs.parse, extendedParsing: false, parameterLimit: Infinity }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(10000))
@@ -517,27 +521,27 @@ describe('bodyParser.urlencoded()', function () {
       })
     })
 
-    describe('with extended: true', function () {
+    describe('with extended: qs.parse', function () {
       it('should reject 0', function () {
-        assert.throws(createServer.bind(null, { extended: true, parameterLimit: 0 }),
+        assert.throws(createServer.bind(null, { extended: qs.parse, parameterLimit: 0 }),
           /TypeError: option parameterLimit must be a positive number/)
       })
 
       it('should reject string', function () {
-        assert.throws(createServer.bind(null, { extended: true, parameterLimit: 'beep' }),
+        assert.throws(createServer.bind(null, { extended: qs.parse, parameterLimit: 'beep' }),
           /TypeError: option parameterLimit must be a positive number/)
       })
 
       it('should 413 if over limit', function (done) {
-        request(createServer({ extended: true, parameterLimit: 10 }))
+        request(createServer({ extended: qs.parse, parameterLimit: 10 }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(11))
           .expect(413, '[parameters.too.many] too many parameters', done)
       })
 
       it('should work when at the limit', function (done) {
-        request(createServer({ extended: true, parameterLimit: 10 }))
+        request(createServer({ extended: qs.parse, parameterLimit: 10 }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(10))
@@ -546,15 +550,15 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should work if number is floating point', function (done) {
-        request(createServer({ extended: true, parameterLimit: 10.1 }))
+        request(createServer({ extended: qs.parse, parameterLimit: 10.1 }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(11))
           .expect(413, /too many parameters/, done)
       })
 
       it('should work with large limit', function (done) {
-        request(createServer({ extended: true, parameterLimit: 5000 }))
+        request(createServer({ extended: qs.parse, parameterLimit: 5000 }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(5000))
@@ -563,7 +567,7 @@ describe('bodyParser.urlencoded()', function () {
       })
 
       it('should work with Infinity limit', function (done) {
-        request(createServer({ extended: true, parameterLimit: Infinity }))
+        request(createServer({ extended: qs.parse, parameterLimit: Infinity }))
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(10000))
