After reading the blog, the main take away from there is:
"Never send back JOSN array to the client side, it is easy to be hijacked, using JSON object, it is because JSON object is not considered to be a valid Javascript to execute"
原文:http://www.cnblogs.com/Answer1215/p/7419981.html