[wwweston]

"you should not be using eval() client side either for much the same reasons you should not be using it server-side"

Can you explain this? I'd think on the server side you'd do it because you should never trust client input. On the client side, though, presumably you can trust the input from your own server.

I recognize things can get a bit trickier when you have scripts from untrusted sources mingling with yours in the same page, but at that point, given the dynamic nature of JavaScript and the way behavior attached to DOM elements can be wrapped/changed, I'm not sure eval vs JSON.parse is really your biggest problem, and I could totally see someone who knew about JSON.parse going with eval on the client side using that line of reasoning.

[jerf]

"I recognize things can get a bit trickier when you have scripts from untrusted sources mingling with yours in the same page"

Well, that's it exactly. Today's trivial unexploitable vulnerability gets combined with tomorrow's trivial unexploitable vulnerability and viola arbitrary command execution as the web server user. Or whatever. There's no vulnerability too trivial to fix, because in reality you can never be sure that a given vulnerability is unexploitable today, or will remain unexploitable tomorrow.

[dspillett]

Used client-side you are still exposing yourself to cross-site security issues and the like. While you are right that the client-side JS environment is prone to this by other methods, this doesn't mean you shoud open up this method too.