Is this a security vulerability, XSS or CSRF?

Lets say my javascript makes an ajax-request and in the callback-function it does eval(response_text) without checking the response_text for anything.

Something tells me this is not good, but why and how could开发者_StackOverflow it be epxloited? Wont it be always my server which will send it good data?

That would be vulnerable to an XSS if it comes from an untrusted source. The attacker can call a function on your site.

Think of a situation where the attacker appends a script tag to the document that loads a script from his site.