If you have a page that uses a JSON API, don’t reify the JSON response strings using eval(). If it’s an external API, you can’t be sure they’ve sanitized the response of malicious or broken script. Instead, use a JS library that’s designed to parse JSON safely, such as json2.js from json.org.