DEV Community

Cover image for isJson([InsertEscapedString]) = true?  Really?
James Moberg
James Moberg

Posted on

isJson([InsertEscapedString]) = true? Really?

I was processing data that a third-party was posting to our endpoint and quickly identified that the JSON data was a "quoted + escaped string of JSON-appearing data" rather than a valid JSON string containing either an array or objects.

{"name":"Mr. Test"}         //This is what I was expecting.
"{\"name\":\"Mr. Test\"}"   //Bad JSON, right? Nope. It's valid.
"\"this is a test\""        //Apparently this is valid JSON too.
Enter fullscreen mode Exit fullscreen mode

If I use ColdFusion's isJSON(), it returns true. I tested this in and both ACF10-2021 and Lucee agreed that an escaped string of text (without any objects) was valid JSON. I compared the results against a couple of other online JSON validators and they also agreed that it was valid... except for the following services.

If I saved the string into SQL Server AS-IS and attempt to use JSON_VALUE to retrieve the data, it will either throw an error or not return anything... so if MSSQL doesn't agree that it is JSON, how can it pass an isJSON() validation test?

JSON is built on two structures; a collection of name/value pairs or an ordered list of values. A simple escaped value does not meet the above definition. The "O" in JSON stands for "object". If the deserialized value isn't an "object", it's probably not JSON.

Is this a bug? I'm wondering why ColdFusion doesn't perform an extra test to determine if the value returns true for either isStruct() or isArray() rather than blindly claiming that any escaped string is valid JSON. I've reported other issues in the past with ColdFusion's black box validation of integers, emails, URLs and dates and have had to write my own user-defined functions to work around inconsistencies so that I could use CF-validated values with third-party services that adhere to more stricter standards of validation.


Discussion (0)