What some people don't get about JSON
Javascript is just one language that can parse JSON with a quick eval(). Python is another. Using JSON doesn’t expose you to any Javascript (or Python) security problems unless you actually are parsing it with eval(). I don’t even do that in Javascript anymore.
I keep reading comments from people who think parsing JSON would somehow have more security problems than, e.g. parsing XML, simply because JSON was “extracted” from Javascript. Even outside of the context of JSON-in-Javascript. Are these people under the impression that you have to fire up an interpreter to parse JSON? We’re not talking about m4 here.
Divorce JSON from Javascript in your mind. Don’t think “JSON was taken out of Javascript”, think “Javascript is a language which happens to use JSON as its literal format”. It’s just a quirk that JSON isn’t called PythON.