For JSON, web application programmers are left to their own devices by XHR2, and will more often than not end up using eval to parse the JSON data that they have retrieved, effectively again passing execution control to b.com.
AFAIK, Crockford's json.js library is effective in validating javascript such that JSON data can be properly executed without allowing arbitrary code execution. In addition, I would be surprised if we don't see native JSON evaluaters in browers in the next rev of browsers. Therefore, I don't think is a problem. We have effective means for safely parsing JSON data, as long as we have a mechanism for loading the text.
That being said, I would love to see XHR2 include an additional property getter for "responseJSON" that provided access to safely natively parsed JSON. It is kind of silly that XHR provides responseXML, when most modern devs are using JSON.
Kris
