tedpennings/gist:4483687

## gistfile1.json
{
    "user":
    {
        "name": "Johnny Walker",
        "occupation": "Distiller",
        "location": (function() { alert("XSS 1!"); return "somewhere"})(),
        "_location_comment": "Once parsed unsafely, the location XSS will run automatically, as a self-executing function. JSON.parse can help with this, and jQuery's $.parseJSON uses it by default (as do $.ajax, etc)",
        "bio": "<script type='text/javascript'>alert('XSS 2!');</script>",
        "_bio_comment": "This XSS will execute once it is added to the DOM, if not properly escaped  before adding it. This is more of a persistent kind of XSS attack, typically from poor input validation on server side."
    }
}
	{
	"user":
	{
	"name": "Johnny Walker",
	"occupation": "Distiller",
	"location": (function() { alert("XSS 1!"); return "somewhere"})(),
	"_location_comment": "Once parsed unsafely, the location XSS will run automatically, as a self-executing function. JSON.parse can help with this, and jQuery's $.parseJSON uses it by default (as do $.ajax, etc)",
	"bio": "<script type='text/javascript'>alert('XSS 2!');</script>",
	"_bio_comment": "This XSS will execute once it is added to the DOM, if not properly escaped before adding it. This is more of a persistent kind of XSS attack, typically from poor input validation on server side."
	}
	}