JSON security best practices?

Question

While researching the issue of JSON vs XML, I came across this question. Now one of the reasons to prefer JSON was listed as the ease of conversion in Javascript, namely wi

Answer 1

The main security hole from the blog (CSRF), is not JSON specific. It's just as big a hole using XML instead. Indeed, it's just as bad with no asynchronous calls at all; regular links are just as vulnerable.

When people talk about unique URLs, they generally DON'T mean http://yourbank.com/json-api/your-name/big-long-key-unique-to-you/statement. Instead, it's more common to make something else about the request unique; namely a value in the FORM post, or a URL parameter.

Usually this involves a random token inserted into the FORM on the server side, and then checked when a request is made.

The array/object thing is news to me:

Script-Tags: The attacker can embed a script tag pointing at a remote server and the browser will effectively eval() the reply for you, however it throws away the response and since JSON is all response, you're safe.

In that case, your site doesn't need to use JSON at all to be vulnerable. But yeah, if an attacker can insert random HTML into your site, you're toast.