[SECURITY] Properly escape content

CHANGELOG.md

@@ -7,6 +7,9 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+### Security
+- Properly escape content
+
 ## [2.5.0] - 2022-05-18
 
 ### Added

Classes/JsonLd/Renderer.php

@@ -64,7 +64,7 @@ public function render(): string
 
         return \sprintf(
             Extension::JSONLD_TEMPLATE,
-            \json_encode($result, \JSON_UNESCAPED_SLASHES | \JSON_UNESCAPED_UNICODE)
+            \json_encode($result, \JSON_HEX_TAG | \JSON_UNESCAPED_SLASHES | \JSON_UNESCAPED_UNICODE)
         );
     }
 

Documentation/Changelog/Index.rst

@@ -11,6 +11,12 @@ to `Semantic Versioning <https://semver.org/spec/v2.0.0.html>`_.
 `Unreleased <https://github.com/brotkrueml/schema/compare/v2.5.0...HEAD>`_
 ------------------------------------------------------------------------------
 
+Security
+^^^^^^^^
+
+
+* Properly escape content
+
 `2.5.0 <https://github.com/brotkrueml/schema/compare/v2.4.0...v2.5.0>`_ - 2022-05-18
 ----------------------------------------------------------------------------------------
 

Tests/Unit/JsonLd/RendererTest.php

@@ -191,6 +191,14 @@ public function dataProvider(): \Iterator
             ],
             '{"@context":"https://schema.org/","@type":"GenericStub","some-property":{"@id":"some-node-identifier-id"}}',
         ];
+
+        yield 'Value is a string provoking XSS' => [
+            null,
+            [
+                'some-string' => '</script><svg/onload=prompt(document.domain)>',
+            ],
+            '{"@context":"https://schema.org/","@type":"GenericStub","some-string":"\u003C/script\u003E\u003Csvg/onload=prompt(document.domain)\u003E"}',
+        ];
     }
 
     /**