http://tools.ietf.org/html/rfc4627

Security considerations:

Generally there are security issues with scripting languages. JSON
is a subset of JavaScript, but it is a safe subset that excludes
assignment and invocation.

A JSON text can be safely passed into JavaScript's eval() function
(which compiles and executes a string) if all the characters not
enclosed in strings are in the set of characters that form JSON
tokens. This can be quickly determined in JavaScript with two
regular expressions and calls to the test and replace methods.

var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
eval('(' + text + ')');

これを見ると、しっかりセキュリティの事書いてあるね。まあ、普通に考えれば、当たり前か。
一応、サンプルコードで何とかなりそうな気もしないでもないけど、文字コードがらみで抜け道ありそうだなぁ。