Coldfusion 10 returnformat="JSON" adding characters

Question

I have an app that I'm working on converting from CF8 to CF10 and some of my remote CFCs where the data coming back should be JSON are now failing because there seems to be a "//" pre-pended to the returned data. For example here's an output of a returned structure:

//{"SUCCESS":true,"ERRORS":[],"DATA":{"COLUMNS":["AUTHRESULT","SPID","EMAIL","RID"],"DATA":[[true,361541,"user@domain.com",""]]}} 

The same function run through the same CFC on the CF8 server gives:

{"ERRORS":[],"SUCCESS":true,"DATA":{"COLUMNS":["AUTHRESULT","SPID","EMAIL","RID"],"DATA":[[true,361541,"user@domain.com",""]]}} 

The CFC that proxies all requests does have returnFormat="JSON" - but there is no SerializeJSON() being called in either the proxyCFC or the CFC that is extended from proxyCFC.

I'm not sure what's the best way to handle this. Trimming off the '//' in the response would be possible but it doesn't seem "right". I need to address it on the CF10 end of things because these functions are in use not only in our app, but some remote apps as well (and some are through http:// posts and some are through jQuery Ajax calls).

Answer 1

That is a server side setting in the ColdFusion admin, under settings. Prefix serialized JSON with. It is enabled by default for security. Protects web services, which return JSON data from cross-site scripting attacks by prefixing serialized JSON strings with a custom prefix.. Perhaps you had turned this off on your ColdFusion 8 server. I do not recommend turning it off though.

See this post from Raymond Camden - Handling JSON with prefixes in jQuery and jQueryUI

NOTE: this setting can also be set per-application by setting secureJSON and secureJSONPrefix in your Application.cfc file. See the documentation about that here - Application variables.

secureJSON - A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call.

The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to false). You can override this value in the cffunction tag.

secureJSONPrefix - The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true.

The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to //, the JavaScript comment character).