This is probably a minor nit... But I worry that people will follow an unsafe example because they don't know any better. I definitely would've fallen into that trap not so long ago.
My suggested change is to replace JSON.stringify with serialize-javascript, which does automatic escaping of HTML characters.
I don't know if just using it in the example is enough, or if it would be a good idea to add a note / warning.
This is probably a minor nit... But I worry that people will follow an unsafe example because they don't know any better. I definitely would've fallen into that trap not so long ago.
My suggested change is to replace
JSON.stringify
withserialize-javascript
, which does automatic escaping of HTML characters.I don't know if just using it in the example is enough, or if it would be a good idea to add a note / warning.