A couple of years ago, I created a ColdFusion component - JsonSerializer.cfc - to help me serialize values in ColdFusion. There is a native method for this already - serializeJson(); but, going from a case-insensitive language to a case-sensitive specification is fraught with peril. That said, JsonSerializer.cfc was still using the serializeJson() method internally for simple values. After discovering the serializeJson() bug, involving unicode escape sequences, I've replaced the internal string serialization method with a manual string serialization approach.
To see this in action, I've put together a simple demo that serializes an input string that is known to cause problems:
<cfscript> // As of ColdFusion 10.0.14, the sequence u+1234 is incorrectly serialized as the // value \u1234. This is particularly harmful when you are serializing base64-encoded // data, such as embedded binary objects. input = "This sequence [ u+1234 ] causes problems in ColdFusion 10.0.14+."; // The JsonSerialier.cfc manually serializes the input, which lets it side-step the // ColdFusion serializeJson() bugs. serializedInput = new JsonSerializer().serialize( input ); deserializedInput = deserializeJson( serializedInput ); writeOutput( "Input: #input# <br />" ); writeOutput( "Deserialized: #deserializedInput# <br />" ); writeOutput( "Matches: #yesNoFormat( ! compare( input, deserializedInput ) )#" ); </cfscript>
As of ColdFusion 10.0.14, the input sequence "u+1234" is incorrectly encoded as "\u1234". However, using the updated JsonSerializer.cfc, we get the following page output:
Input: This sequence [ u+1234 ] causes problems in ColdFusion 10.0.14+.
Deserialized: This sequence [ u+1234 ] causes problems in ColdFusion 10.0.14+.
As you can see, the "u+1234" character sequence went through the serialization life-cycle in tact.
Want to use code from this post? Check out the license.