CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

URL & URLSearchParams API

javascript ES2015 Beginner
debt(d5/e1/b1/t5)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5), because detection_hints lists eslint and semgrep with a specific code_pattern (string concatenation for query params instead of URLSearchParams), meaning a configured ESLint rule or semgrep pattern is needed — it won't be caught by default linting without explicit configuration.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch or single-call swap' (e1), because the quick_fix is literally a one-line replacement: swap string concatenation with `new URLSearchParams(params).toString()`, which is a single-call swap per occurrence.

b1 Burden Structural debt — long-term weight of choosing wrong

Closest to 'minimal commitment' (b1), because this is a localized utility-level choice (URL/query string building) that applies only at the point of constructing HTTP requests. It doesn't impose architectural weight or affect unrelated parts of the codebase.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5), because the misconception is well-documented but genuinely catches developers: string concatenation 'looks fine' until special characters (&, ?, =, spaces) in values silently break the URL or cause subtle injection issues. It's a common, documented gotcha that most devs eventually learn the hard way.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-10 · reviewed by human

Also Known As

URL API URLSearchParams query string JS http_build_query JS

TL;DR

URL and URLSearchParams provide structured URL parsing and query string building — the JavaScript equivalent of PHP's parse_url and http_build_query.

Explanation

new URL(href) parses a URL into hostname, pathname, searchParams, hash components. url.searchParams is a URLSearchParams object: .get(), .set(), .append(), .toString(). Constructing query strings: new URLSearchParams({page:2, q:'search'}).toString() → page=2&q=search. URL automatically encodes special characters. PHP parallel: parse_url() for parsing, http_build_query() for building, urlencode() for encoding.

Common Misconception

String concatenation is fine for building query parameters — unencoded special characters (&, ?, =, spaces) in values will break the URL; use URLSearchParams which handles encoding automatically.

Why It Matters

PHP API endpoints with query parameters require properly encoded URLs — URLSearchParams handles encoding automatically and prevents injection via malformed query strings.

Common Mistakes

  • String concatenation for query parameters without encoding
  • Not handling relative vs absolute URLs with new URL()
  • Using deprecated location.search string manipulation

Code Examples

✗ Vulnerable 
// Unencoded special chars break URL:
const url = '/api/search?q=' + userQuery + '&page=' + page;
// If userQuery = 'foo&bar' the & splits into extra parameter
✓ Fixed 
// Safe URL building:
const params = new URLSearchParams({ q: userQuery, page, sort: 'desc' });
const url = `/api/search?${params}`;
// q=foo%26bar&page=1&sort=desc — & encoded correctly

// Parse and modify existing URL:
const u = new URL(location.href);
u.searchParams.set('page', currentPage + 1);
history.pushState({}, '', u);
Added 17 Mar 2026
Edited 22 Mar 2026
Views 19

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 7 Unknown AI 3 Google 2 Perplexity 2 Ahrefs 2 Majestic 1
Also referenced
Fetch API & HTTP Requests 33 AJAX Patterns for PHP Backends 28 History API — SPA Routing with PHP Backend 24
How they use it
crawler 15 crawler_json 1 pre-tracking 1
Related categories
javascript 2.5k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Use new URLSearchParams(params).toString() to build query strings — it handles encoding automatically like PHP's http_build_query()
📦 Applies To
javascript ES2015 web cli
🔗 Prerequisites
🔍 Detection Hints
Query string built with + concatenation instead of URLSearchParams; manual encodeURIComponent on multiple parameters
Auto-detectable: ✓ Yes eslint semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: Function
✓ schema.org compliant