Is JSON.parse() really safer than eval() when web page and ajax call come from same server?

Question

I get that JSON.parse() prevents an attacker from injecting javascript into the response since a JSON parser is just a text parser, not a script parser so please don\'t close th

Answer 1

Well, if they're able to inject into your AJAX responses they've probably already successfully man-in-the-middle'd you in one way or another (ARP, DNS or something else).

See http://en.wikipedia.org/wiki/Man-in-the-middle_attack for more details on these types of attack.

You are correct in that, if they can inject into your AJAX response, they can inject whole pages as well. Really, anything you receive OR send via networking is now vulnerable in a MitM unless something like HTTPS\SSL is being used.