Is php's json_encode() vulnerable when embedded in a script element?

Question

I had read OWASP's XSS Prevention Cheat Sheet a long time ago and made a wrapper function to include JSON_HEX_TAG|JSON_HEX_APOS|JSON_HEX_QUOT|JSON_HEX_AMP by default so I would be safe. Or so I thought until a user at Freenode/##php told me that was unsafe. OWASP was apparently saying to put JSON into an element, have javascript grab it's contents, and parse it.

This is the worst I could come up with and json_encode() still made it safe. Can anyone think of a string that could break through?

Source:
<script>//<![CDATA[
    window.data=<?php echo json_encode(
        "]]>\"'</script><script>alert(document.cookie)</script>"
        ,JSON_HEX_TAG|JSON_HEX_APOS|JSON_HEX_QUOT|JSON_HEX_AMP
    );?>;
//]]></script>

Output:
<script>//<![CDATA[
    window.data="]]\u003E\u0022\u0027\u003C\/script\u003E\u003Cscript\u003Ealert(document.cookie)\u003C\/script\u003E";
/*]]></script>

Answer 1

Probably the best solution to this would be to make sure that your servers PHP is up to date. i like to use 5.5.21 as its the latest full release, any above it are available but not properly "released". If you're worried about any possible exploits, read through php.net's latest news and search through some of the specific CVE's that they mention. Those are references to exploits that have been patched.