XSS vulnerable

[stuartpb]

This module creates content for an inline <script> tag. However, if anything in the content of that script tag includes </script>, HTML5's parsing rules will prematurely end the tag there, allowing for XSS injection.

This module should modify any strings in the returned JSON (for keys or values) that include </script> to be written as </"+"script>.

[freewil]

I can't confirm whether this allows for an XSS injection vulnerability, but I do believe #34 fixes your concern.