comment from Adam Cameron:
The slash doesn't NEED to be escaped in JSON. The rule - as per the spec you link to, and borne out in the real world (including, I hasten to add: Railo) - is "any unicode character except double quote or backslash" is a char. A fwd slash is not a special char needing to be escaped. However if the backslash is present, then one of the acceptable following characters is a fwd slash. But this is not to say that the fwd slash NEEDS to be escaped. It just can be escaped.
I would think any baseline / automated implementation (just as serializeJson() implemented) should NOT do unnecessary escaping? I can only presume that Railo is following CF's lead here. However I think that's a facile approach in this case: Railo should follow the rules of JSON, not CF's interpretation of them.
As an aside... ColdFusion fails on this code, Railo does not:
<cfset json = '
Note that I am incorrectly (and entirely by accident: copy and paste from the original code) using "=" instead of ":" as the "assignment operator" in that string. That's not valid. Railo should error on that input. CF gets it right (so does OBD, FWIW). If I replace the "=" with a ":" to make it valid JSON, all three engines parse it fine. Note that the fwd slashes are not unnecessarily escaped.