JSON makes very good use of Javascript’s literal object notation. But it’s a consequence of this fact that a JSON message can conveniently be processed by reading it into a variable and then running eval on the variable. [...] The moment you do this, of course, you expose your code to a Javascript injection attack.

• Michael Sperberg-McQueen | Messages in a bottle

I'm really enjoying Michael Sperberg-McQueen's klog. I hope he keeps it up.