-
-
Notifications
You must be signed in to change notification settings - Fork 735
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
qs.parse silently drops properties #80
Comments
Is this a bug? |
technically? it's a side effect of not allowing properties that match those on the object prototype. the solution is switching to a plain object for storage so we don't care about the prototype |
labeled this as a breaking change due to the returned objects being a plain object now |
This might not have been the right solution. So now these objects fail in places where the result is being treated as an object with a default prototype. I think a better approach would be to add a prefix to the keys instead when overlapping with prototype methods and have some logic if the prefixed version is also present (e.g. some kind of escaping). |
I still think it should work like JSON.parse, which uses the default prototype and doesn't have any dropping issue. I tried to update body-parser to 3.x but encountered lots of user push back. Same for Express req.query. |
JSON.parse does have overriding issues
Prefixing keys that would overwrite properties from the prototype would work, but then it's kind of awkward to access them since the consumer would have to be aware that they'll be prefixed |
This issue I opened is not about overriding issues; it is about dropping properties. |
Right, but one of the main concerns of this module was to resolve the security concerns present in the original, one of which being that it's possible to override object prototype properties. I can't sacrifice one to allow the other, so we need to figure out some way to accommodate both. |
Regardless, I am indifferent about the module's direction :) I need W3C parsing compliance and with the closure of #63 I will simply be moving to a different module rather than 3.0 (especially with some massive Express community blow back when I tried to update this module to 3.0 because of the null prototype issue). |
Yeah, given all the bike shedding and random issues, I'm very seriously considering dropping all the extraneous crap and going back to #63 instead. This module has become a bit of a nightmare to maintain. |
I'm just opening a new issue so that old one does not get lost. This is a general continuation as a new issue from #73 (comment) and onwards.
Because
qs
silently discards properties, it makes this library unsuitable for any real REST API. It only works for "toy" web sites that have a very explicit list of keys in all routes. With this module, one cannot make a route that contains customer-defined properties, as they will evidently choose one that is silently dropped just because traffic happens to flow through Node.js.The main other parsers doesn't particularly have this issue:
The text was updated successfully, but these errors were encountered: