DEV Community

Cover image for isJson([InsertEscapedString]) = true?  Really?
James Moberg
James Moberg

Posted on

1 1

isJson([InsertEscapedString]) = true? Really?

I was processing data that a third-party was posting to our endpoint and quickly identified that the JSON data was a "quoted + escaped string of JSON-appearing data" rather than a valid JSON string containing either an array or objects.

{"name":"Mr. Test"}         //This is what I was expecting.
"{\"name\":\"Mr. Test\"}"   //Bad JSON, right? Nope. It's valid.
"\"this is a test\""        //Apparently this is valid JSON too.
Enter fullscreen mode Exit fullscreen mode

If I use ColdFusion's isJSON(), it returns true. I tested this in TryCF.com and both ACF10-2021 and Lucee agreed that an escaped string of text (without any objects) was valid JSON. I compared the results against a couple of other online JSON validators and they also agreed that it was valid... except for the following services.

If I saved the string into SQL Server AS-IS and attempt to use JSON_VALUE to retrieve the data, it will either throw an error or not return anything... so if MSSQL doesn't agree that it is JSON, how can it pass an isJSON() validation test?

JSON is built on two structures; a collection of name/value pairs or an ordered list of values. A simple escaped value does not meet the above definition. The "O" in JSON stands for "object". If the deserialized value isn't an "object", it's probably not JSON.

Is this a bug? I'm wondering why ColdFusion doesn't perform an extra test to determine if the value returns true for either isStruct() or isArray() rather than blindly claiming that any escaped string is valid JSON. I've reported other issues in the past with ColdFusion's black box validation of integers, emails, URLs and dates and have had to write my own user-defined functions to work around inconsistencies so that I could use CF-validated values with third-party services that adhere to more stricter standards of validation.

Thoughts?

API Trace View

How I Cut 22.3 Seconds Off an API Call with Sentry šŸ‘€

Struggling with slow API calls? Dan Mindru walks through how he used Sentry's new Trace View feature to shave off 22.3 seconds from an API call.

Get a practical walkthrough of how to identify bottlenecks, split tasks into multiple parallel tasks, identify slow AI model calls, and more.

Read more ā†’

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

šŸ‘‹ Kindness is contagious

Please leave a ā¤ļø or a friendly comment on this post if you found it helpful!

Okay