Login/Register
Coldfusion 10 returnformat="JSON" adding characters
Asked Answered
Solved jsoncoldfusioncoldfusion-10
G

1

7

I have an app that I'm working on converting from CF8 to CF10 and some of my remote CFCs where the data coming back should be JSON are now failing because there seems to be a "//" pre-pended to the returned data. For example here's an output of a returned structure:

//{"SUCCESS":true,"ERRORS":[],"DATA":{"COLUMNS":["AUTHRESULT","SPID","EMAIL","RID"],"DATA":[[true,361541,"[email protected]",""]]}}

The same function run through the same CFC on the CF8 server gives:

{"ERRORS":[],"SUCCESS":true,"DATA":{"COLUMNS":["AUTHRESULT","SPID","EMAIL","RID"],"DATA":[[true,361541,"[email protected]",""]]}}

The CFC that proxies all requests does have returnFormat="JSON" - but there is no SerializeJSON() being called in either the proxyCFC or the CFC that is extended from proxyCFC.

I'm not sure what's the best way to handle this. Trimming off the '//' in the response would be possible but it doesn't seem "right". I need to address it on the CF10 end of things because these functions are in use not only in our app, but some remote apps as well (and some are through http:// posts and some are through jQuery Ajax calls).

Gimbals answered 19/3, 2013 at 13:39 Comment(0)
R
12

That is a server side setting in the ColdFusion admin, under settings. Prefix serialized JSON with. It is enabled by default for security. Protects web services, which return JSON data from cross-site scripting attacks by prefixing serialized JSON strings with a custom prefix.. Perhaps you had turned this off on your ColdFusion 8 server. I do not recommend turning it off though.

See this post from Raymond Camden - Handling JSON with prefixes in jQuery and jQueryUI

NOTE: this setting can also be set per-application by setting secureJSON and secureJSONPrefix in your Application.cfc file. See the documentation about that here - Application variables.

secureJSON - A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call.

The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to false). You can override this value in the cffunction tag.

secureJSONPrefix - The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true.

The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to //, the JavaScript comment character).

Rossie answered 19/3, 2013 at 13:42 Comment(3)
Interesting - wasn't aware of that. So this really does need to be handled on the calling page / application side then to keep it secure.Gimbals
Yes, that would be best. I did a little searching and it appears as though the administrator settings I referenced were first introduced with ColdFusion 9. I guess that explains why you did not see this on your ColdFusion 8 server.Rossie
And a quick note on this too. I spent a lot of time trying to get the jquery ajax side of this working. At first it was suggested to use ajaxSetup() with dataFilter and a regex to remove the '//' from json responses. After much trial and error it seems jquery.validate() breaks the ajaxSetup() so the dataFitler must be placed in the remote section of the validation rules.Gimbals

© 2022 - 2024 — McMap. All rights reserved.