Maybe I fully misunderstood this conversation; but I was assuming a scenario where the developer has full control of the script and the server.
> If you blindly include whatever you get back directly into the page,
> it might include either badly performing, out of date, or potentially
> malicious <script> tags that subsequently destroy the page. It's the
> equivalent of blindly accepting web form input into an SQL query and
> then wondering where your tables all disappeared off to.
Well, of course I'm not going to inject some HTML into a page from a source I don't trust. I don't see how HTML vs. JSON relates to that point.
Received on Thu Dec 08 2011 - 11:34:29 EST