The code is executed! This could perhaps be used to return malformed instructions instead of JSON and do something malicious to the client. However, try this:
Notice that it just throws a parsing error, but of course for actual JSON it still produces the correct object. Also, here’s a relevant stackoverflow answer.