'use strict'; const QueryString = module.exports = { unescapeBuffer, // `unescape()` is a JS global, so we need to use a different local name unescape: qsUnescape, // `escape()` is a JS global, so we need to use a different local name escape: qsEscape, stringify, encode: stringify, parse, decode: parse }; const Buffer = require('buffer').Buffer; // This constructor is used to store parsed query string values. Instantiating // this is faster than explicitly calling `Object.create(null)` to get a // "clean" empty object (tested with v8 v4.9). function ParsedQueryString() {} ParsedQueryString.prototype = Object.create(null); const unhexTable = [ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0 - 15 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 16 - 31 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 32 - 47 +0, +1, +2, +3, +4, +5, +6, +7, +8, +9, -1, -1, -1, -1, -1, -1, // 48 - 63 -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 64 - 79 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 80 - 95 -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 96 - 111 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 112 - 127 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 128 ... -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 // ... 255 ]; // a safe fast alternative to decodeURIComponent function unescapeBuffer(s, decodeSpaces) { var out = Buffer.allocUnsafe(s.length); var state = 0; var n, m, hexchar, c; for (var inIndex = 0, outIndex = 0; ; inIndex++) { if (inIndex < s.length) { c = s.charCodeAt(inIndex); } else { if (state > 0) { out[outIndex++] = 37/*%*/; if (state === 2) out[outIndex++] = hexchar; } break; } switch (state) { case 0: // Any character switch (c) { case 37: // '%' n = 0; m = 0; state = 1; break; case 43: // '+' if (decodeSpaces) c = 32; // ' ' // falls through default: out[outIndex++] = c; break; } break; case 1: // First hex digit hexchar = c; n = unhexTable[c]; if (!(n >= 0)) { out[outIndex++] = 37/*%*/; out[outIndex++] = c; state = 0; break; } state = 2; break; case 2: // Second hex digit state = 0; m = unhexTable[c]; if (!(m >= 0)) { out[outIndex++] = 37/*%*/; out[outIndex++] = hexchar; out[outIndex++] = c; break; } out[outIndex++] = 16 * n + m; break; } } // TODO support returning arbitrary buffers. return out.slice(0, outIndex); } function qsUnescape(s, decodeSpaces) { try { return decodeURIComponent(s); } catch (e) { return QueryString.unescapeBuffer(s, decodeSpaces).toString(); } } const hexTable = []; for (var i = 0; i < 256; ++i) hexTable[i] = '%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase(); // These characters do not need escaping when generating query strings: // ! - . _ ~ // ' ( ) * // digits // alpha (uppercase) // alpha (lowercase) const noEscape = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 0 - 15 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 16 - 31 0, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, // 32 - 47 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, // 48 - 63 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, // 64 - 79 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, // 80 - 95 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, // 96 - 111 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0 // 112 - 127 ]; // QueryString.escape() replaces encodeURIComponent() // http://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4 function qsEscape(str) { if (typeof str !== 'string') { if (typeof str === 'object') str = String(str); else str += ''; } var out = ''; var lastPos = 0; for (var i = 0; i < str.length; ++i) { var c = str.charCodeAt(i); // ASCII if (c < 0x80) { if (noEscape[c] === 1) continue; if (lastPos < i) out += str.slice(lastPos, i); lastPos = i + 1; out += hexTable[c]; continue; } if (lastPos < i) out += str.slice(lastPos, i); // Multi-byte characters ... if (c < 0x800) { lastPos = i + 1; out += hexTable[0xC0 | (c >> 6)] + hexTable[0x80 | (c & 0x3F)]; continue; } if (c < 0xD800 || c >= 0xE000) { lastPos = i + 1; out += hexTable[0xE0 | (c >> 12)] + hexTable[0x80 | ((c >> 6) & 0x3F)] + hexTable[0x80 | (c & 0x3F)]; continue; } // Surrogate pair ++i; var c2; if (i < str.length) c2 = str.charCodeAt(i) & 0x3FF; else throw new URIError('URI malformed'); lastPos = i + 1; c = 0x10000 + (((c & 0x3FF) << 10) | c2); out += hexTable[0xF0 | (c >> 18)] + hexTable[0x80 | ((c >> 12) & 0x3F)] + hexTable[0x80 | ((c >> 6) & 0x3F)] + hexTable[0x80 | (c & 0x3F)]; } if (lastPos === 0) return str; if (lastPos < str.length) return out + str.slice(lastPos); return out; } function stringifyPrimitive(v) { if (typeof v === 'string') return v; if (typeof v === 'number' && isFinite(v)) return '' + v; if (typeof v === 'boolean') return v ? 'true' : 'false'; return ''; } function stringify(obj, sep, eq, options) { sep = sep || '&'; eq = eq || '='; var encode = QueryString.escape; if (options && typeof options.encodeURIComponent === 'function') { encode = options.encodeURIComponent; } if (obj !== null && typeof obj === 'object') { var keys = Object.keys(obj); var len = keys.length; var flast = len - 1; var fields = ''; for (var i = 0; i < len; ++i) { var k = keys[i]; var v = obj[k]; var ks = encode(stringifyPrimitive(k)) + eq; if (Array.isArray(v)) { var vlen = v.length; var vlast = vlen - 1; for (var j = 0; j < vlen; ++j) { fields += ks + encode(stringifyPrimitive(v[j])); if (j < vlast) fields += sep; } if (vlen && i < flast) fields += sep; } else { fields += ks + encode(stringifyPrimitive(v)); if (i < flast) fields += sep; } } return fields; } return ''; } const isHexTable = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 0 - 15 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 16 - 31 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 32 - 47 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, // 48 - 63 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 64 - 79 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 80 - 95 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 96 - 111 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 112 - 127 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 128 ... 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 // ... 256 ]; function charCodes(str) { if (str.length === 0) return []; if (str.length === 1) return [str.charCodeAt(0)]; const ret = []; for (var i = 0; i < str.length; ++i) ret[ret.length] = str.charCodeAt(i); return ret; } const defSepCodes = [38]; // & const defEqCodes = [61]; // = // Parse a key/val string. function parse(qs, sep, eq, options) { const obj = new ParsedQueryString(); if (typeof qs !== 'string' || qs.length === 0) { return obj; } var sepCodes = (!sep ? defSepCodes : charCodes(sep + '')); var eqCodes = (!eq ? defEqCodes : charCodes(eq + '')); const sepLen = sepCodes.length; const eqLen = eqCodes.length; var pairs = 1000; if (options && typeof options.maxKeys === 'number') { // -1 is used in place of a value like Infinity for meaning // "unlimited pairs" because of additional checks V8 (at least as of v5.4) // has to do when using variables that contain values like Infinity. Since // `pairs` is always decremented and checked explicitly for 0, -1 works // effectively the same as Infinity, while providing a significant // performance boost. pairs = (options.maxKeys > 0 ? options.maxKeys : -1); } var decode = QueryString.unescape; if (options && typeof options.decodeURIComponent === 'function') { decode = options.decodeURIComponent; } const customDecode = (decode !== qsUnescape); const keys = []; var lastPos = 0; var sepIdx = 0; var eqIdx = 0; var key = ''; var value = ''; var keyEncoded = customDecode; var valEncoded = customDecode; const plusChar = (customDecode ? '%20' : ' '); var encodeCheck = 0; for (var i = 0; i < qs.length; ++i) { const code = qs.charCodeAt(i); // Try matching key/value pair separator (e.g. '&') if (code === sepCodes[sepIdx]) { if (++sepIdx === sepLen) { // Key/value pair separator match! const end = i - sepIdx + 1; if (eqIdx < eqLen) { // We didn't find the (entire) key/value separator if (lastPos < end) { // Treat the substring as part of the key instead of the value key += qs.slice(lastPos, end); if (keyEncoded) key = decodeStr(key, decode); } else { // We saw an empty substring between separators if (--pairs === 0) return obj; lastPos = i + 1; sepIdx = eqIdx = 0; continue; } } else { if (lastPos < end) { value += qs.slice(lastPos, end); if (valEncoded) value = decodeStr(value, decode); } if (keyEncoded) key = decodeStr(key, decode); } // Use a key array lookup instead of using hasOwnProperty(), which is // slower if (keys.indexOf(key) === -1) { obj[key] = value; keys[keys.length] = key; } else { const curValue = obj[key]; // A simple Array-specific property check is enough here to // distinguish from a string value and is faster and still safe // since we are generating all of the values being assigned. if (curValue.pop) curValue[curValue.length] = value; else obj[key] = [curValue, value]; } if (--pairs === 0) return obj; keyEncoded = valEncoded = customDecode; key = value = ''; encodeCheck = 0; lastPos = i + 1; sepIdx = eqIdx = 0; } } else { sepIdx = 0; // Try matching key/value separator (e.g. '=') if we haven't already if (eqIdx < eqLen) { if (code === eqCodes[eqIdx]) { if (++eqIdx === eqLen) { // Key/value separator match! const end = i - eqIdx + 1; if (lastPos < end) key += qs.slice(lastPos, end); encodeCheck = 0; lastPos = i + 1; } continue; } else { eqIdx = 0; if (!keyEncoded) { // Try to match an (valid) encoded byte once to minimize unnecessary // calls to string decoding functions if (code === 37/*%*/) { encodeCheck = 1; continue; } else if (encodeCheck > 0) { // eslint-disable-next-line no-extra-boolean-cast if (!!isHexTable[code]) { if (++encodeCheck === 3) keyEncoded = true; continue; } else { encodeCheck = 0; } } } } if (code === 43/*+*/) { if (lastPos < i) key += qs.slice(lastPos, i); key += plusChar; lastPos = i + 1; continue; } } if (code === 43/*+*/) { if (lastPos < i) value += qs.slice(lastPos, i); value += plusChar; lastPos = i + 1; } else if (!valEncoded) { // Try to match an (valid) encoded byte (once) to minimize unnecessary // calls to string decoding functions if (code === 37/*%*/) { encodeCheck = 1; } else if (encodeCheck > 0) { // eslint-disable-next-line no-extra-boolean-cast if (!!isHexTable[code]) { if (++encodeCheck === 3) valEncoded = true; } else { encodeCheck = 0; } } } } } // Deal with any leftover key or value data if (lastPos < qs.length) { if (eqIdx < eqLen) key += qs.slice(lastPos); else if (sepIdx < sepLen) value += qs.slice(lastPos); } else if (eqIdx === 0) { // We ended on an empty substring return obj; } if (keyEncoded) key = decodeStr(key, decode); if (valEncoded) value = decodeStr(value, decode); // Use a key array lookup instead of using hasOwnProperty(), which is slower if (keys.indexOf(key) === -1) { obj[key] = value; keys[keys.length] = key; } else { const curValue = obj[key]; // A simple Array-specific property check is enough here to // distinguish from a string value and is faster and still safe since // we are generating all of the values being assigned. if (curValue.pop) curValue[curValue.length] = value; else obj[key] = [curValue, value]; } return obj; } // v8 does not optimize functions with try-catch blocks, so we isolate them here // to minimize the damage (Note: no longer true as of V8 5.4 -- but still will // not be inlined). function decodeStr(s, decoder) { try { return decoder(s); } catch (e) { return QueryString.unescape(s, true); } }