This weekend I read an interesting blog post called JSON: The JavaScript subset that isn't and decided to test ColdFusion's SerializeJSON() function to see if the "bug" existed there. It does. To reproduce, you can create a .cfm page that contains the following HTML/CF code:
<script type="text/javascript">
var test = #SerializeJSON("test" & chr(8232))#;
</script>
To "fix" the bug, you can replace SerializeJSON() with SafeSerializeJSON() like this:
<script type="text/javascript">
var test = #SafeSerializeJSON("test" & chr(8232))#;
</script>
The SafeSerializeJSON() function looks like this:
<cffunction name="SafeSerializeJSON" output="false" access="private" returntype="string">
<cfargument name="obj" type="any" required="true" />
<cfargument name="serializeQueryByColumns" type="boolean" required="false" default="false" />
<cfset var jsonOutput = SerializeJSON(arguments.obj, arguments.serializeQueryByColumns) />
<cfset jsonOutput = Replace(jsonOutput, chr(8232), "\u2028", "all") />
<cfset jsonOutput = Replace(jsonOutput, chr(8233), "\u2029", "all") />
<cfreturn jsonOutput />
</cffunction>
I've created a gist that explores the issue in slightly more detail: