ColdFusion 10.0  -  Bug 3689049

Created on Saturday, January 4, 2014

Login for more options


serializeJson() escaped fwd slashes


See &

This applies to CF as well. Repo:

st = {"link" = "/example/example1"};
json1 = serializeJSON(st);

writedump(json1); // {"link":"\/example\/example1"}

CF should not be escaping fwd slashes: there's no need to. It should just stick to the JSON spec.

I've marked this as affecting CF10, but it effects CF9.


Test Configuration

My Hardware and Environment details:

App Language(s) English
OS Language(s) English
Platform(s) Platforms All

Notes (8)

  • Dave Merrill

    7:45:15 AM GMT+00:00 Nov 9, 2015

    Ach, in the note I just added, replace <InvalidTag> with an HTML script tag. Doh.

  • Dave Merrill

    7:43:56 AM GMT+00:00 Nov 9, 2015

    All well and good in theory and in most cases, but there's at least one scenario that the CF10 fix breaks, and that's when the result is output between <InvalidTag> tags, and the string or object being serialized contains the string "</script>". The exact error you get depends on the browser, but it happens in all I tested. Roughly speaking, it's an unterminated string error. (Chrome: Uncaught SyntaxError: Unexpected token ILLEGAL, Firefox: SyntaxError: unterminated string literal, IE: SCRIPT1015: Unterminated string constant.)

    I've attached a demo. In CF9, there's no error, the js object gets dumped to the console, and the value of the field containing that string gets alerted. In CF10, you get the above browser-dependent errors.

    The only fix that occurred to me was to specifically escape the forward slash in that context, only. Uncomment line 4 of the attached to see it in action. It works correctly on both CF9 and CF10, in all browesrs I tried.

    It's brittle and funky, bad code smell, and other suggestions are welcome, but absent any other ideas, I'd suggest that CF be updated to do that, so every bit of affected code doesn't have to.

  • Adam Cameron

    1:45:43 PM GMT+00:00 Oct 14, 2014

    Confirmed this is fixed in 10,0,14,291717. Cheers.

  • Awdhesh Kumar

    4:45:40 AM GMT+00:00 Mar 5, 2014

    In place of forward slash, backward slash will being skipped. Corrected..

  • Adam Cameron

    12:29:51 AM GMT+00:00 Feb 11, 2014

    Because there's no requirement to. Turn the question around: why *would you* escape them if it's not necessary?


  • Awdhesh Kumar

    9:43:20 PM GMT+00:00 Feb 9, 2014

    I don'y get why shouldn't we escape forward slashes. Anyway I made the required changes..

  • Adam Cameron

    2:35:31 AM GMT+00:00 Jan 29, 2014

    Yeah... you're misreading the RFC and the diagram on the JSON site, because they absolutely do NOT say that. Did you actually bother to read the links I gave you? Because we go through it all in there. You didn't did you? No. Did you think I posted them there to simply pass the time, or do you think I posted them there because they were important information relating to this ticket? Which was it likely to be?

    Even if you ignored the info I provided, had you bothered to do any investigation of this then you'd've quickly realised you are simply misreading the information in front of you.

    Go to and test validating this string: {"/": "/"}

    Indeed try to test with THIS string: {"\/": "\/"}. Note what jsonlint does? Gets rid of the unnecessary escaping.

    Then go into your console on your browser, and do this:
    o = JSON.parse('{"/": "/"}');

    Sorry to sound slightly contemptuous of your efforts here... it's because I *am* contemptuous of them.


  • Awdhesh Kumar

    2:19:15 AM GMT+00:00 Jan 29, 2014

    As per the JSON spec, forward slash should be escaped. Let me know if I am missing something.. and (page: 5).

Duplicate ID
Reported By Adam Cameron


State Closed
Status Fixed


Priority 3-High
Frequency Most users will encounter
Failure Type Incorrectly Functioning
Product Area AJAX


Found In Build Final
Fixed In Build CF10_Update14

Attachments (1)

Votes (0)

Your session has expired! Click to login
Current form data will be preserved