Client-side UIs SHOULD be completely built using mature JavaScript or Typescript frameworks such as React, Angular, or Vue (no ActiveX or Java):
JSON code MUST only be parsed with a secure API such as JSON.parse() (not eval()).
Instead of unsafe JavaScript APIs that inject HTML code directly (e.g. .innerHTML), safe APIs SHOULD be used that only output text (e.g. .innerText or .textContent). This requirement also extends to any other web frameworks or API that offer similar functionality.