expressjs · nmurrell07 · Mar 21, 2026 · krzysdz · Mar 21, 2026 · krzysdz
diff --git a/lib/application.js b/lib/application.js
@@ -94,7 +94,8 @@ app.defaultConfiguration = function defaultConfiguration() {
   this.enable('x-powered-by');
   this.set('etag', 'weak');
   this.set('env', env);
-  this.set('query parser', 'simple')
+  this.set('query parser', 'extended')
+  this.set('query parser limit', 10000)
   this.set('subdomain offset', 2);
   this.set('trust proxy', false);
 

diff --git a/lib/request.js b/lib/request.js
@@ -21,6 +21,7 @@ var fresh = require('fresh');
 var parseRange = require('range-parser');
 var parse = require('parseurl');
 var proxyaddr = require('proxy-addr');
+var utils = require('./utils');
 
 /**
  * Request prototype.
@@ -229,6 +230,7 @@ req.range = function range(size, options) {
 
 defineGetter(req, 'query', function query(){
   var queryparse = this.app.get('query parser fn');
+  var limit = this.app.get('query parser limit');
 
   if (!queryparse) {
     // parsing is disabled
@@ -237,6 +239,11 @@ defineGetter(req, 'query', function query(){
 
   var querystring = parse(this).query;
 
+  // Pass limit to extended parser
+  if (queryparse === utils.parseExtendedQueryString) {
+    return queryparse(querystring, limit);
+  }
+
   return queryparse(querystring);
 });
 

diff --git a/lib/utils.js b/lib/utils.js
@@ -264,8 +264,10 @@ function createETagGenerator (options) {
  * @private
  */
 
-function parseExtendedQueryString(str) {
+function parseExtendedQueryString(str, limit) {
   return qs.parse(str, {
-    allowPrototypes: true
+    allowPrototypes: true,
+    parameterLimit: limit || 10000
   });
 }
+exports.parseExtendedQueryString = parseExtendedQueryString;
diff --git a/test/req.query.js b/test/req.query.js
@@ -14,12 +14,12 @@ describe('req', function(){
       .expect(200, '{}', done);
     });
 
-    it('should default to parse simple keys', function (done) {
+    it('should default to parse extended keys', function (done) {
       var app = createApp();
 
       request(app)
       .get('/?user[name]=tj')
-      .expect(200, '{"user[name]":"tj"}', done);
+      .expect(200, '{"user":{"name":"tj"}}', done);
     });
 
     describe('when "query parser" is extended', function () {