Is it safe to insert JSON in HTML

Valid JSON XSS can cause, json_encode produces, of course, valid. Another thing is that you continue with this JSONом'll do next — if the output to the page, it is necessary not to forget escapeth yourself.

<?php\recho json_encode(array('tzt'=>'\\")); // gives {"tzt":"'"} echo json_encode(array('tzt'=>'\\"')); // gives {"tzt":"\\""} echo json_encode(array('tzt'=>'')); // gives {"tzt":"<\\/script>"} echo json_encode(array('tzt'=>'<\\\\/script>')); // gives {"tzt":"<\\\\\\/script>"} echo json_encode(array('tzt'=>"\\x0")); // gives {"tzt":"\\u0000"} ?> 

There seems to be no way to break the JSON. But I just broke the parser Habrahabr: last """-quotes (in the comments) instead of a blank space should appear as "\\u" followed from "0000".

Though what and where to insert. JSON itself is transport — if the user in the comments hammered XSS, it honestly will be transferred via json seascape and all, but as soon as it as a piece of html inserted into the page text, then he will bite.
\r
Again, if you return the form filled in by the user, and it is back — Yes health even though what sticks. But in public — not good.