2006-04-06 AJAX: Is Your Application SECURE Enough? Ajax Programming The related discussion on Digg is also pretty informative. Some hints: Validating anything you run through eval() to make sure its just JSON, and not malicious code -- json.js Calling the JSON.parse(...) method instead of the eval(...) function