Home/ Questions/Q 6218347
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T07:35:34+00:00

I have found the following JS on the web. It is a function to

  • 0

I have found the following JS on the web.

It is a function to get url params values.

function get_url_param(param) {
  param = param.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
  var regexS = "[\\?&]"+param+"=([^&#]*)";
  var regex = new RegExp( regexS );
  var results = regex.exec(window.location.href);
  if( results == null )
    return '';
  else
    return results[1];
}

However always when I see a exec() function I think: Eeek!

So my question is: is it safe?

Side bet: If you think this function sucks and have a better option don’t hesitate to share 🙂

The above function uses the real url but I only need to parse a string which contains an URL.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Regexp#exec is safe, albeit not a very nice interface.

    Side bet: If you think this function sucks and have a better option don’t hesitate to share 🙂

    yeeep 🙂

    param = param.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");

    This doesn’t use a global regexp so you are only replacing one instance of each bracket; field[][] wouldn’t work. Also you don’t need the character group… param.replace(/\[/g, '\\[') would have worked. Or, the non-regexp replacement idiom, param.split('[').join('\\[').

    Then:

    var regexS = "[\\?&]"+param+"=([^&#]*)";

    you’re not escaping nearly enough characters to be able to drop them into a regexp and have them mean their literal selves. See this question for a more watertight alternative.

    Anyway this kind of regex hacking still isn’t a good way of parsing URLs/query strings. This doesn’t deal properly with ; or %-encoding, or + for space, and it may trip on parameter lookalikes elsewhere in the URL.

    Instead, let’s first get the query string on its own. If you have a link or location object, you can get it from the the .search property . If you only have a string URL, you can turn it into a link object to get this reliably:

    function getQueryString(url) {
    var a= document.createElement('a');
    a.href= url;
    return a.search;
}

    Now you can parse it into by dropping the leading ?, splitting on & or ;, then dropping the URL-decoded results into a JS Object:

    function parseQuery(query) {
    var lookup= {};
    var params= query.slice(1).split(/[&;]/);
    for (var i= 0; i<params.length; i++) {
        var ix= params[i].indexOf('=');
        if (ix!==-1) {
            var name= decodeURIComponent(params[i].slice(0, ix));
            var value= decodeURIComponent(params[i].slice(ix+1));
            if (!(name in lookup))
                lookup[name]= [];
            lookup[name].push(value);
        }
    }
    return lookup;
}

    This makes it easy to look up parameters:

    var url= 'http://www.example.com/?a=b&c=d&c=%65;f[]=g#h=i';
var pars= parseQuery(getQueryString(url));

alert(pars.a);      // ['b']
alert(pars.c);      // ['d', 'e']
alert(pars['f[]']); // ['g']
alert('h' in pars); // false

    If you don’t need to read multiple values for a parameter, you could just do lookup[name]= value instead of the if...[]...push dance, to return single string values in the lookup instead of lists.

    • 0