[Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder

ljharb · ljharb · commit 21f80b33e5c8 · 2026-05-15T23:15:06.000-07:00
When `arrayFormat: 'comma'` and `encodeValuesOnly: true` were both set, the comma branch passed array entries directly to the encoder via `utils.maybeMap` before the per-element null handling in the main loop. A `null` or `undefined` entry reached `utils.encode` as the `str` argument and `str.length` threw `TypeError`. Neither `skipNulls` nor `strictNullHandling` prevented the crash — both are checked downstream of the encode call on line 145, inside the per-`objKeys` loop, but the comma path collapses the entire array into a single `objKeys` entry before the loop runs. The fix wraps the encoder in a closure that passes `null`/`undefined` through unchanged, so they reach the `join(',')` step as-is. This matches the non-`encodeValuesOnly` comma path, which already joins before encoding and produces `a=%2Cb` for `{ a: [null, 'b'] }`; under `encodeValuesOnly` the comma stays unencoded as a separator, yielding `a=,b`. Single-null arrays still collapse to `null` via the existing `obj.join(',') || null` and remain subject to `skipNulls` / `strictNullHandling` in the main loop. Same class of issue as the filter-array path fixed in 0c180a4, introduced in 04eac8d (2021-04-19) when the comma + `encodeValuesOnly` branch was first added.
diff --git a/eslint.config.mjs b/eslint.config.mjs
@@ -11,6 +11,7 @@ export default [
         rules: {
             complexity: 'off',
             'consistent-return': 'warn',
+            eqeqeq: ['error', 'allow-null'],
             'func-name-matching': 'off',
             'id-length': [
                 'error',
diff --git a/lib/stringify.js b/lib/stringify.js
@@ -142,7 +142,9 @@ var stringify = function stringify(
     if (generateArrayPrefix === 'comma' && isArray(obj)) {
         // we need to join elements in
         if (encodeValuesOnly && encoder) {
-            obj = utils.maybeMap(obj, encoder);
+            obj = utils.maybeMap(obj, function (v) {
+                return v == null ? v : encoder(v);
+            });
         }
         objKeys = [{ value: obj.length > 0 ? obj.join(',') || null : void undefined }];
     } else if (isArray(filter)) {
diff --git a/test/stringify.js b/test/stringify.js
@@ -651,6 +651,49 @@ test('stringify()', function (t) {
         st.end();
     });
 
+    t.test('does not crash on null/undefined entries in arrayFormat=comma with encodeValuesOnly', function (st) {
+        st.doesNotThrow(
+            function () { qs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true }); },
+            'does not pass a raw null array entry to the encoder'
+        );
+        st.doesNotThrow(
+            function () { qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true }); },
+            'does not pass a raw undefined array entry to the encoder'
+        );
+        st.doesNotThrow(
+            function () { qs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true }); },
+            'does not crash on a single-null array'
+        );
+
+        st.equal(
+            qs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true }),
+            'a=,b',
+            'null entry joins as empty, comma stays unencoded under encodeValuesOnly'
+        );
+        st.equal(
+            qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true }),
+            'a=,b',
+            'undefined entry joins as empty, comma stays unencoded under encodeValuesOnly'
+        );
+        st.equal(
+            qs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true }),
+            'a=',
+            'single-null array stringifies as empty value'
+        );
+        st.equal(
+            qs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true, strictNullHandling: true }),
+            'a',
+            'strictNullHandling drops the equals sign for a single-null array'
+        );
+        st.equal(
+            qs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true, skipNulls: true }),
+            '',
+            'skipNulls drops a single-null array entirely'
+        );
+
+        st.end();
+    });
+
     t.test('stringifies a null object', { skip: !hasProto }, function (st) {
         st.equal(qs.stringify({ __proto__: null, a: 'b' }), 'a=b');
         st.end();
