The values used in the application/ld+json meta-blocks errornously use HTML specific sanitizer; this could lead into JavaScript being injected to the pages through topic headings, depending on how application/ld+json is interpreted by the browser. If it has no executing abilities (which it probably doesn't on modern browsers), this will lead into invalid JSON at least.
Instead, the objects should be created and encoded using json_encode, and a HTML sanitizer that prevents ending the block (as its embedded within HTML doc). E.g.
The values used in the
application/ld+json
meta-blocks errornously use HTML specific sanitizer; this could lead into JavaScript being injected to the pages through topic headings, depending on how application/ld+json is interpreted by the browser. If it has no executing abilities (which it probably doesn't on modern browsers), this will lead into invalid JSON at least.Instead, the objects should be created and encoded using
json_encode
, and a HTML sanitizer that prevents ending the block (as its embedded within HTML doc). E.g.Also the
&
should not be entities, as it's not HTML, but JSON.