[Fix] encode brackets in key content to fix round-trip parsing

When object keys contain literal `[` or `]` characters, stringify now
pre-encodes them so the parser does not confuse them with the structural
brackets used for nesting (e.g. `a[b]=c`).

This fixes the round-trip failure described in #513, where
`qs.parse(qs.stringify(obj))` would not return the original object when
keys contained brackets (such as JSON-like strings).

Fixes #513

Author: veeceey

lib/parse.js

@@ -186,6 +186,7 @@ var parseObject = function (chain, val, options, valuesParsed) {
             obj = options.plainObjects ? { __proto__: null } : {};
             var cleanRoot = root.charAt(0) === '[' && root.charAt(root.length - 1) === ']' ? root.slice(1, -1) : root;
             var decodedRoot = options.decodeDotInKeys ? cleanRoot.replace(/%2E/g, '.') : cleanRoot;
+            decodedRoot = decodedRoot.replace(/%5B/gi, '[').replace(/%5D/gi, ']');
             var index = parseInt(decodedRoot, 10);
             var isValidArrayIndex = !isNaN(index)
                 && root !== decodedRoot

lib/stringify.js

@@ -5,6 +5,21 @@ var utils = require('./utils');
 var formats = require('./formats');
 var has = Object.prototype.hasOwnProperty;
 
+var encBracketsInContent = function encBracketsInContent(key, willBeEncoded) {
+    // When a key contains literal [ or ], pre-encode them so that the parser
+    // does not confuse them with structural brackets used for nesting.
+    // If the key will later go through the full encoder, use single encoding
+    // (%5B/%5D) since the encoder will double-encode the % to %25, producing
+    // %255B/%255D. If the key will NOT be further encoded (encodeValuesOnly),
+    // use double encoding (%255B/%255D) directly.
+    if (!(/\[|\]/).test(key)) {
+        return key;
+    }
+    var bracketOpen = willBeEncoded ? '%5B' : '%255B';
+    var bracketClose = willBeEncoded ? '%5D' : '%255D';
+    return key.replace(/\[/g, bracketOpen).replace(/\]/g, bracketClose);
+};
+
 var arrayPrefixGenerators = {
     brackets: function brackets(prefix) {
         return prefix + '[]';
@@ -171,6 +186,10 @@ var stringify = function stringify(
         }
 
         var encodedKey = allowDots && encodeDotInKeys ? String(key).replace(/\./g, '%2E') : String(key);
+        // Encode brackets in key content to prevent parser confusion with structural brackets (#513)
+        if (encoder) {
+            encodedKey = encBracketsInContent(encodedKey, !encodeValuesOnly);
+        }
         var keyPrefix = isArray(obj)
             ? typeof generateArrayPrefix === 'function' ? generateArrayPrefix(adjustedPrefix, encodedKey) : adjustedPrefix
             : adjustedPrefix + (allowDots ? '.' + encodedKey : '[' + encodedKey + ']');
@@ -317,9 +336,13 @@ module.exports = function (object, opts) {
         if (options.skipNulls && value === null) {
             continue;
         }
+        // Encode brackets in top-level key content to prevent parser confusion (#513)
+        var encodedTopKey = options.encode
+            ? encBracketsInContent(String(key), !options.encodeValuesOnly)
+            : String(key);
         pushToArray(keys, stringify(
             value,
-            key,
+            encodedTopKey,
             generateArrayPrefix,
             commaRoundTrip,
             options.allowEmptyArrays,

test/parse.js

@@ -1508,5 +1508,37 @@ test('mixed array and object notation', function (t) {
         st.end();
     });
 
+    t.test('decodes encoded brackets in key content (#513)', function (st) {
+        // %5B/%5D in segment content should be decoded to [ and ]
+        st.deepEqual(
+            qs.parse('a%5Bb%255Bc%255D%5D=d'),
+            { a: { 'b[c]': 'd' } },
+            'decodes double-encoded brackets in nested key content'
+        );
+
+        // top-level key with double-encoded brackets
+        st.deepEqual(
+            qs.parse('a%255Bb%255D=c'),
+            { 'a[b]': 'c' },
+            'decodes double-encoded brackets in top-level key'
+        );
+
+        // encodeValuesOnly-style input (structural brackets literal, content double-encoded)
+        st.deepEqual(
+            qs.parse('a[b%255Bc%255D]=d'),
+            { a: { 'b[c]': 'd' } },
+            'decodes double-encoded brackets in key content with literal structural brackets'
+        );
+
+        // issue #513: key content with JSON-like brackets
+        st.deepEqual(
+            qs.parse('buttons%5Bcommands%7C%7B%22orders%22%3A%255B%2247441%22%255D%7D%5D=Unisci%20ordini'),
+            { buttons: { 'commands|{"orders":["47441"]}': 'Unisci ordini' } },
+            'correctly parses key content with JSON-like brackets'
+        );
+
+        st.end();
+    });
+
     t.end();
 });

test/stringify.js

@@ -1307,4 +1307,82 @@ test('stringifies empty keys', function (t) {
 
         st.end();
     });
+    t.test('encodes brackets in key content for round-trip safety (#513)', function (st) {
+        // nested key with brackets in content
+        st.equal(
+            qs.stringify({ a: { 'b[c]': 'd' } }),
+            'a%5Bb%255Bc%255D%5D=d',
+            'encodes nested key containing brackets with default encoding'
+        );
+
+        // flat key with brackets in content
+        st.equal(
+            qs.stringify({ 'a[b]': 'c' }),
+            'a%255Bb%255D=c',
+            'encodes top-level key containing brackets with default encoding'
+        );
+
+        // round-trip: nested key with brackets
+        var obj1 = { a: { 'b[c]': 'd' } };
+        st.deepEqual(
+            qs.parse(qs.stringify(obj1)),
+            obj1,
+            'round-trips nested key containing brackets'
+        );
+
+        // round-trip: flat key with brackets (issue #513 example)
+        var obj2 = { 'my name|{"data":["one","two","three"]}': 'value' };
+        st.deepEqual(
+            qs.parse(qs.stringify(obj2)),
+            obj2,
+            'round-trips flat key containing brackets'
+        );
+
+        // round-trip with encodeValuesOnly
+        st.equal(
+            qs.stringify({ a: { 'b[c]': 'd' } }, { encodeValuesOnly: true }),
+            'a[b%255Bc%255D]=d',
+            'encodes nested key containing brackets with encodeValuesOnly'
+        );
+
+        var obj3 = { a: { 'b[c]': 'd' } };
+        st.deepEqual(
+            qs.parse(qs.stringify(obj3, { encodeValuesOnly: true })),
+            obj3,
+            'round-trips nested key containing brackets with encodeValuesOnly'
+        );
+
+        // round-trip: original issue example (buttons with JSON in key)
+        var obj4 = { buttons: { 'commands.identifier|{"orders":["47441","47440"]}': 'Unisci ordini' } };
+        st.deepEqual(
+            qs.parse(qs.stringify(obj4)),
+            obj4,
+            'round-trips issue #513 example with nested brackets in key content'
+        );
+
+        // keys without brackets should be unaffected
+        st.equal(
+            qs.stringify({ a: { b: 'c' } }),
+            'a%5Bb%5D=c',
+            'keys without brackets are unaffected'
+        );
+
+        // round-trip with allowDots
+        var obj5 = { a: { 'b[c]': 'd' } };
+        st.deepEqual(
+            qs.parse(qs.stringify(obj5, { allowDots: true }), { allowDots: true }),
+            obj5,
+            'round-trips nested key containing brackets with allowDots'
+        );
+
+        // encode: false should not encode brackets
+        st.equal(
+            qs.stringify({ a: { 'b[c]': 'd' } }, { encode: false }),
+            'a[b[c]]=d',
+            'does not encode brackets in key content when encode is false'
+        );
+
+        st.end();
+    });
+
 });