pub fn to_script_safe_json<T: Serialize>(value: &T) -> Result<String, Error>Expand description
Serializes a value to JSON safe for inlining inside an HTML <script>
block. serde_json does not escape <, >, or &, so a string field
containing </script> would otherwise break out of the tag (a template
author controls the note/tag text → stored self-XSS). Escaping </>/&
to their \uXXXX forms is still valid JSON that JSON.parse /
window.x = … reads identically, and cannot terminate the script element.