After reading the blog, the main take away from there is:
"Never send back JOSN array to the client side, it is easy to be hijacked, using JSON object, it is because JSON object is not considered to be a valid Javascript to execute"