Escape to be Safe

Every once in a while this comes back to bite me when working with Ajax and creating the JSON return data by "hand". Just last week I had a strange problem with a lazy loading Ajax tree; one of the nodes stopped loading the children.

I check what my cfc was returning and it looked OK on the surface. On closer inspection I noticed that a user added quotes where I didn't expect them to be, which leads to another issue with users and that is: always expect the unexpected!

If you are going to be sending back text to an AJAX control it's probably best to escape all strings especially if you don't have full control over what the user can add. Anything that JS can barf on best to "escape to be safe".

Of course this wouldn't have been a problem if the server I was one was ColdFusion 8. I would simply have had to set the returnformat=JSON and forget about it. Which is probably one of the reasons I didn't think about escaping the strings in the first place.

I will be glad when we finally move this project over to Coldfusion 8!