Maybe I fully misunderstood this conversation; but I was assuming a scenario where the developer has full control of the script and the server. > If you blindly include whatever you get back directly into the page, > it might include either badly performing, out of date, or potentially > malicious <!cript> tags that subsequently destroy the page. It's the > equivalent of blindly accepting web form input into an SQL query and > then wondering where your tables all disappeared off to. Well, of course I'm not going to inject some HTML into a page from a source I don't trust. I don't see how HTML vs. JSON relates to that point.