querystring: using toString for objects on querystring.escape

[silentroach]

querystring.encode unexpected behavior on objects, see #5309

here is specs for encodeURIComponent - http://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4, so object must be casted to string via toString, not via valueOf.

const qs = require('querystring');

const testObject = { toString: () => 'test', valueOf: () => 5 };

console.log('expected', encodeURIComponent(testObject));   // 'test'
console.log('actual',   qs.escape(testObject));            // 5

Here is why:

> '' + {toString: () => 'test', valueOf: () => 5}
5

String({toString: () => 'test', valueOf: () => 5})
'test'

[mscdex]

I just ran some quick benchmarks and it seems that using the String() constructor is currently significantly slower on objects than simply calling its .toString(). It would need further benchmarking, but perhaps putting an extra conditional to avoid that particular case might help things.

[silentroach]

@mscdex rewritten with typecheck

[jacobp100]

Not quite.

const x = Symbol('test');
'' + x; // throws
String(x) // 'Symbol(test)'

[silentroach]

@jacobp100 the same with encodeURIComponent:

> encodeURIComponent(Symbol('test'))
TypeError: Cannot convert a Symbol value to a string

> '' + Symbol('test')
TypeError: Cannot convert a Symbol value to a string

so the current solution is better than String constructor. Thank you for additional test case :)

[jacobp100]

You’re correct, good catch. Just checked, per spec, ToString should throw for symbols.

[jasnell]

LGTM

[Fishrock123]

Are there any cases we can test where this would make a difference even if you are not setting toString()/valueOf()?

[mscdex]

@Fishrock123 What do you mean? There will always be a toString() of some kind, whether you explicitly set one or not (if you don't, Object.prototype.toString() will get used).

[jacobp100]

Nah, he's right. If toString is not callable, then you need to try valueOf. If that's also not callable, you need to throw an error.

[silentroach]

Fixed. + more tests

Seems like it is better to use String constructor instead all of these checks. What do you think about last commit, @mscdex?

[jasnell]

@mscdex @nodejs/ctc ... ping

[mscdex]

This should be moved to the next line.

[silentroach]

but why? is there any reason to add empty string to str if it is already a string?

please check out tests below, maybe I forgot some cases?

[mscdex]

No, I meant this as a style nit: moving the str += ''; to the next line instead of on the same line as the else.

[silentroach]

oh. will fix in 5 minutes, thank you

[silentroach]

@mscdex your variant will fail for this test

// toString is not callable, must throw an error
assert.throws(() => qs.escape({toString: 5}));

and in my version there is no problem with encoding symbols - it will throw as with encodeURIComponent

[mscdex]

LGTM with one minor nit

[mscdex]

CI: https://ci.nodejs.org/job/node-test-pull-request/2057/

[jasnell]

One failure in CI that looks unrelated.

[jasnell]

@mscdex ... any further comments on this one?

[jasnell]

@silentroach ... can you update the commit log to follow our style guidelines here: https://github.com/nodejs/node/blob/master/CONTRIBUTING.md#step-3-commit

[mscdex]

@jasnell Nope, other than commit message needs to be formatted correctly

[silentroach]

@jasnell, @mscdex fixed. Is it ok now?

[jasnell]

Yep, LGTM

[jasnell]

New CI, just to be extra careful ;-) https://ci.nodejs.org/job/node-test-pull-request/2244/

[jasnell]

Landed in 5dafb43

[silentroach]

Thank you :}