parse
The url.parse() method takes a URL string, parses it, and returns a URL object.
A TypeError is thrown if urlString is not a string.
A URIError is thrown if the auth property is present but cannot be decoded.
url.parse() uses a lenient, non-standard algorithm for parsing URL strings. It is prone to security issues such as host name spoofing and incorrect handling of usernames and passwords. Do not use with untrusted input. CVEs are not issued for url.parse() vulnerabilities. Use the WHATWG URL API instead, for example:
function getURL(req) {
const proto = req.headers['x-forwarded-proto'] || 'https';
const host = req.headers['x-forwarded-host'] || req.headers.host || 'example.com';
return new URL(req.url || '/', `${proto}://${host}`);
}The example above assumes well-formed headers are forwarded from a reverse proxy to your Node.js server. If you are not using a reverse proxy, you should use the example below:
function getURL(req) {
return new URL(req.url || '/', 'https://example.com');
}Since
v0.1.25
Parameters
The URL string to parse.
If true, the query property will always be set to an object returned by the querystring module's parse() method. If false, the query property on the returned URL object will be an unparsed, undecoded string. Default: false.
If true, the first token after the literal string // and preceding the next / will be interpreted as the host. For instance, given //foo/bar, the result would be {host: 'foo', pathname: '/bar'} rather than {pathname: '//foo/bar'}. Default: false.