Interesting JSON issue to look out for - and a cffileupload bug

This one surprised me - a lot. A reader wrote me this morning about an issue he was having following my tutorial on using cffileupload. He reported that files were being uploaded but the Flash control kept returning a red error result to the end user. I whipped out my copy of Charles, an excellent network tool, and looked at the response. It’s then I noticed that the JSON response was prefixed with //. Now - this is to be expected if you enable the “Prefix serialized JSON with” option in your ColdFusion administrator. However - all of ColdFusion’s front end Ajax-y widgets are supposed to recognize and account for this. The end result being you enable the feature and don’t have to worry about changing widgets like cfgrid, cfwindow, etc, and certainly cffileupload. Unfortunately, it looks like there is a bug (the report is here) and the feature completely breaks cffileupload.

Now here is where things get interesting. If you read the description in the ColdFusion Admin for this feature, it says:

Protects web services which return JSON data from cross-site scripting attacks by prefixing serialized JSON strings with a custom prefix.

This to me implies that when I request a CFC method with returnFormat=json that the prefix will be prepended to the result. However, in my tutorial, I was simply doing something like this:

<cfset str.STATUS = 200> <cfset str.MESSAGE = "passed"> <cfoutput>#serializeJSON(str)#</cfoutput>

This by itself was enough to modify the result. Even called on a page by itself - no Ajax involved - the result is prefixed with //. This is not what I expected.

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support.

Lafayette, LA https://www.raymondcamden.com

Comments