[Catalyst] implementing ajax

[Ashley]

On Mar 12, 2008, at 11:55 AM, Matt Pitts wrote:
> My argument is this: if you want to return sensitive data for an AJAX
> app doing so using eval-able JS or even pure JSON increases the risk
> that your data could be hijacked via cross-site attacks.

Like everything else it's only risky if you do it wrong. Always wrap
it in {}. Enforce authn/authz; even the suggestion that you might
not is horrific/ludicrous. Know what you're sending. Don't let users
put code on your site in their data. All the usual suspects from there.

-Ashley