fix: escape </script> sequences in jsonld override path

sagarsane · sagarsane · commit 9a03156393e9 · 2026-03-24T11:49:37.000-04:00
Applies escapeForScriptElement() to both the string and object variants
of the product.jsonld full-override path, so all JSON-LD output—whether
auto-generated or customer-supplied—is safe for embedding in HTML
&lt;script&gt; elements per the W3C JSON-LD 1.1 spec.
diff --git a/src/steps/render-jsonld.js b/src/steps/render-jsonld.js
@@ -80,9 +80,11 @@ function renderOffer(state, variant, simple = false) {
 export function convertToJsonLD(state, product) {
   // If the product has a jsonld property, use it directly instead of generating
   if (product.jsonld) {
-    return typeof product.jsonld === 'string'
-      ? product.jsonld
-      : JSON.stringify(product.jsonld, null, 2);
+    return escapeForScriptElement(
+      typeof product.jsonld === 'string'
+        ? product.jsonld
+        : JSON.stringify(product.jsonld, null, 2),
+    );
   }
 
   const {
diff --git a/test/steps/render-jsonld.test.js b/test/steps/render-jsonld.test.js
@@ -71,6 +71,50 @@ describe('convertToJsonLD', () => {
       assert.strictEqual(parsed.sku, 'STRING-SKU');
     });
 
+    it('escapes </script> sequences in jsonld string override', () => {
+      const maliciousJsonLdString = JSON.stringify({
+        '@context': 'https://schema.org',
+        '@type': 'Product',
+        name: 'Injected</script><script>alert(1)</script>',
+      });
+
+      const product = {
+        sku: 'ORIGINAL-SKU',
+        name: 'Original Product Name',
+        jsonld: maliciousJsonLdString,
+      };
+
+      const result = convertToJsonLD(mockState, product);
+
+      assert.ok(!result.includes('</script>'), 'output must not contain </script>');
+      assert.ok(result.includes('<\\/script>'), 'output must contain escaped sequence');
+
+      // Round-trip: JSON.parse must recover original value
+      const parsed = JSON.parse(result);
+      assert.strictEqual(parsed.name, 'Injected</script><script>alert(1)</script>');
+    });
+
+    it('escapes </script> sequences in jsonld object override', () => {
+      const product = {
+        sku: 'ORIGINAL-SKU',
+        name: 'Original Product Name',
+        jsonld: {
+          '@context': 'https://schema.org',
+          '@type': 'Product',
+          name: 'Injected</script><script>alert(1)</script>',
+        },
+      };
+
+      const result = convertToJsonLD(mockState, product);
+
+      assert.ok(!result.includes('</script>'), 'output must not contain </script>');
+      assert.ok(result.includes('<\\/script>'), 'output must contain escaped sequence');
+
+      // Round-trip: JSON.parse must recover original value
+      const parsed = JSON.parse(result);
+      assert.strictEqual(parsed.name, 'Injected</script><script>alert(1)</script>');
+    });
+
     it('generates jsonld when jsonld property is not provided', () => {
       const product = {
         sku: 'GENERATED-SKU',
