I was reading about

Web Application Exploits and Defenses

where it says "

Second, in the browser, Gruyere converts the JSON by using Javascript's eval. In general, eval is very dangerous and should rarely be used. If it used, it must be used very carefully, which is hardly the case here. We should be using the JSON parser which ensures that the string does not include any unsafe content. The JSON parser is available at json.org."

So I'm wondering what does Dancer do? eval or uses a parser?