Skip to main content
Ben Nadel at cf.Objective() 2014 (Bloomington, MN) with: Pradnya Kambli
Ben Nadel at cf.Objective() 2014 (Bloomington, MN) with: Pradnya Kambli

SerializeJson() Escapes Forward-Slashes In ColdFusion

By
Published in , Comments (9)

After my post yesterday about security precautions when using jsStringFormat() in ColdFusion, I wondered if the serializeJson() function would be susceptible to the same kind of Cross-Site Scripting (XSS) attack. Luckily, serializeJson() escapes forward-slashes, which prevents the premature closing of Script tags.

To test this, I create a small ColdFusion object, appended a malicious "</script>" tag to one of the values, and then serialized it for use within a JavaScript context:

<cfscript>

	// Our object of user-provided values.
	user = {
		"name" = "Tricia Smith",
		"nickname" = "T-rex"
	};

	// Attempt to add the malicious code that will break the
	// JavaScript code blog interpretation.
	user.name &= "</script>";

</cfscript>


<!--- ----------------------------------------------------- --->
<!--- ----------------------------------------------------- --->


<cfoutput>
	<script type="text/javascript">

		var user = #serializeJson( user )#;

	</script>
</cfoutput>

When you run this code, and then view the resulting page source, you will see that serializeJson() prevents the interpretation of the closing script tag:

var user = {"name":"Tricia Smith**<\/script>**","nickname":"T-rex"};

Nicely done, ColdFusion, nicely done. As you can see, the malicious code is blocked because it fails to close the current JavaScript context.

Want to use code from this post? Check out the license.

Reader Comments

16 Comments

This is a bug in the implementation of serializeJson(), most likely due to Adobe misreading the JSON spec/RFC.

Slashes don't need to be escaped, and accordingly *shouldn't* be escaped.

This came up on the Railo Google Group a few weeks ago (https://groups.google.com/d/msg/railo/4EiksqmZgas/O30ZvtV8JsoJ), and have accepted this as a bug (https://issues.jboss.org/browse/RAILO-2807). I'll raise a similar one for CF if CF is doing this too (https://bugbase.adobe.com/index.cfm?event=bug&id=3689049)

--
Adam

15,902 Comments

@Adam,

If it's a bug, then it's a fortuitous one. Without the escaping of the forward slashes, the object serialization would more likely leave open an opportunity for an XSS attack.

That said, it's possible that serializeJson() was never intended to be used as a way to define actual JavaScript code. Doing so, may be outside the bounds of what is considered an accepted use-case.

That said, I _do_ use it that way :)

16 Comments

Convenient as it is, the function's intended purpose is to serialise a CFML object into JSON. It's not serializeJsonAndNodToXss(). A function should generally just do one thing.

CF has other functions specifically for sanitising JS for XSS considerations.

--
Adam

15,902 Comments

@Adam,

I understand, and I agree. I think the way I use serializeJson() is definitely not how it was intended. And, to be fair, it's in the vast minority of my use-cases. That said, I _do_ use it this way, so it's better to know than to be left in wonder :)

2 Comments

Hi Ben,
when I upgrade to ColdFusion 11, my original code doesn't work any more. The serializeJson works weirdly.
My code is like the following:
<cfset qloops = "Prh8MgOfv/gXkxhBU+FAAFgAgmqOCCAnnRgBIu+EBABAxWaOGFFXrBhhAE+ICADRiGKOKIsHlxB4cBU">
<cfdump var="#serializeJson(qLoops)#">

and I got this:
"Prh8MgOfv/gXkxhB\uFAAFgAgmqOCCAnnRgBI\uEBABAxWaOGFFXrBhhAE+ICADRiGKOKIsHlxB4cBU"

the original gXkxhBU+FAA becomes gXkxhB\uFAA.

I believe in love. I believe in compassion. I believe in human rights. I believe that we can afford to give more of these gifts to the world around us because it costs us nothing to be decent and kind and understanding. And, I want you to know that when you land on this site, you are accepted for who you are, no matter how you identify, what truths you live, or whatever kind of goofy shit makes you feel alive! Rock on with your bad self!
Ben Nadel