tracker issue : CF-3689049

select a category, or use search below
(searches all categories and all time range)
Title:

serializeJson() escaped fwd slashes

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Adam Cameron / Adam Cameron (Adam Cameron)

Created: 01/04/2014

Components: AJAX, Plumbing

Versions: 10.0

Failure Type:

Found In Build/Fixed In Build: Final / CF10_Update14

Priority/Frequency: Major / Most users will encounter

Locale/System: English / Platforms All

Vote Count: 0

See https://groups.google.com/d/msg/railo/4EiksqmZgas/67SK5grA-rUJ &  https://issues.jboss.org/browse/RAILO-2807

This applies to CF as well.  Repo:

<cfscript>
st = {"link" = "/example/example1"};
json1 = serializeJSON(st);

writedump(json1); //  {"link":"\/example\/example1"}
</cfscript>

CF should not be escaping fwd slashes: there's no need to. It should just stick to the JSON spec.

I've marked this as affecting CF10, but it effects CF9.

-- 
Adam

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3689049

External Customer Info:
External Company:  
External Customer Name: Adam Cameron.
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

  1. November 09, 2015 00:00:00: 1_serializeJSON-test.cfm

Comments:

As per the JSON spec, forward slash should be escaped. Let me know if I am missing something.. http://www.json.org/ and http://www.ietf.org/rfc/rfc4627.txt (page: 5).
Comment by Awdhesh K.
13753 | January 29, 2014 04:49:15 AM GMT
Yeah... you're misreading the RFC and the diagram on the JSON site, because they absolutely do NOT say that. Did you actually bother to read the links I gave you? Because we go through it all in there. You didn't did you? No. Did you think I posted them there to simply pass the time, or do you think I posted them there because they were important information relating to this ticket? Which was it likely to be? Even if you ignored the info I provided, had you bothered to do any investigation of this then you'd've quickly realised you are simply misreading the information in front of you. Go to http://jsonlint.com/ and test validating this string: {"/": "/"} Indeed try to test with THIS string: {"\/": "\/"}. Note what jsonlint does? Gets rid of the unnecessary escaping. Then go into your console on your browser, and do this: o = JSON.parse('{"/": "/"}'); console.log(o); Sorry to sound slightly contemptuous of your efforts here... it's because I *am* contemptuous of them. -- Adam
Comment by External U.
13754 | January 29, 2014 05:05:31 AM GMT
I don'y get why shouldn't we escape forward slashes. Anyway I made the required changes..
Comment by Awdhesh K.
13755 | February 10, 2014 12:13:20 AM GMT
Because there's no requirement to. Turn the question around: why *would you* escape them if it's not necessary? -- Adam
Comment by External U.
13756 | February 11, 2014 02:59:51 AM GMT
In place of forward slash, backward slash was being skipped. Corrected..
Comment by Awdhesh K.
13757 | March 05, 2014 07:15:40 AM GMT
Confirmed this is fixed in 10,0,14,291717. Cheers.
Comment by External U.
13758 | October 14, 2014 03:15:43 PM GMT
All well and good in theory and in most cases, but there's at least one scenario that the CF10 fix breaks, and that's when the result is output between <InvalidTag> tags, and the string or object being serialized contains the string "</script>". The exact error you get depends on the browser, but it happens in all I tested. Roughly speaking, it's an unterminated string error. (Chrome: Uncaught SyntaxError: Unexpected token ILLEGAL, Firefox: SyntaxError: unterminated string literal, IE: SCRIPT1015: Unterminated string constant.) I've attached a demo. In CF9, there's no error, the js object gets dumped to the console, and the value of the field containing that string gets alerted. In CF10, you get the above browser-dependent errors. The only fix that occurred to me was to specifically escape the forward slash in that context, only. Uncomment line 4 of the attached to see it in action. It works correctly on both CF9 and CF10, in all browesrs I tried. It's brittle and funky, bad code smell, and other suggestions are welcome, but absent any other ideas, I'd suggest that CF be updated to do that, so every bit of affected code doesn't have to.
Comment by External U.
13759 | November 09, 2015 10:13:56 AM GMT
Ach, in the note I just added, replace <InvalidTag> with an HTML script tag. Doh.
Comment by External U.
13760 | November 09, 2015 10:15:15 AM GMT