Avoid unsafe behavior in example code

[cesarandreu]

This is probably a minor nit... But I worry that people will follow an unsafe example because they don't know any better. I definitely would've fallen into that trap not so long ago.

My suggested change is to replace JSON.stringify with serialize-javascript, which does automatic escaping of HTML characters.

I don't know if just using it in the example is enough, or if it would be a good idea to add a note / warning.

[markdalgleish]

I actually fell into this trap myself, too. Thanks for the PR.