ColdFusion's JSON Prefix feature

That's a pretty poor title, but hopefully things will make more sense when I explain it. Earlier this week I blogged about JSON prefixes and how you could handle them in jQuery and jQuery UI. While not specifically a ColdFusion topic, it was easy to test since ColdFusion has a feature where it can automatically prefix your JSON strings. This can be done at the server level, application level, and even the method level if you want. So given a CFC that returns some data, if you enable this feature and use the default prefix of //, your JSON may look like this:

//{"Y":"ray","X":[1,2,3]}

No big deal. You can easily work around it. But here's what surprised me. I had always assumed this was for Ajax services only. By that I mean, given a CFC that returns data, if this feature is on and I request the CFC with returnformat=json, I'd expect that to be the only place where the prefix is added. Not true! Consider this:

<cfset d = {x=[1,2,3],y="ray"}> <cfoutput>#serializejson(d)#</cfoutput>

In this snippet, which has nothing to do with Ajax, nothing to do with remote CFC calls, the JSON string is also prefixed with //. Admittedly I can't think of many situations where I'm not using JSON for Ajax, but the point is, I did not expect this. Am I alone in this?

My recommendation is - you probably want to explicitly disable this feature in your Application.cfc file if you don't want to use it. Anyone who develops open source code or code that a client may put on a shared host will probably want to ensure the feature isn't enabled by accident.

Archived Comments

Comment 1 by Patrick Heppler posted on 11/15/2011 at 1:36 PM

I didn't expect this, too. Docs say: a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call

Comment 2 by Gregory Marthews posted on 12/16/2011 at 12:43 AM

I do this very thing and simply run a global dataFilter via ajaxsetup to remove my custom prefix.

It works in all instances, i.e., JSON AJAX calls, and the serializedjson example you provided above.

I'm not an expert, but did I mis-understand your point? Granted, I'm running my own box, but I would think this would work via shared as well?

Comment 3 by Raymond Camden posted on 12/16/2011 at 12:53 AM

I think you did miss the point. :) What I said was, I assumed the JSON prefix stuff only happened when you requested the data via an XHR, or HTTP request in general. Ie, as part of the returnFormat=json support for CFCs. I didn't think it happened outside of those calls.

Comment 4 by Gregory Marthews posted on 12/16/2011 at 12:59 AM

10-4, but why would you recommend disabling this feature if the prefix can easily be handled via a global filter?

Comment 5 by Raymond Camden posted on 12/16/2011 at 1:05 AM

Notice I said to explicitly disable it if you don't want to use it. My point is - if it is turned on, and you aren't aware, and you work with JSON like I showed up, you can get screwed.

Comment 6 by Gregory Marthews posted on 12/16/2011 at 1:19 AM

Funny you should say that. That's exactly how I learned about it, i.e., I set the flag in CF Admin and started wondering why my scripts were all of a sudden breaking.

Thanks for the post as always.

Raymond Camden

ColdFusion's JSON Prefix feature - more than AJAX

Support this Content!

Archived Comments

Webmentions