Loading workspace insights... Statistics interval
7 days30 daysLatest CI Pipeline Executions
de1fcb7e 🐛 Fixed stored XSS and mangled structured data in JSON-LD output
ref https://github.com/TryGhost/Ghost/pull/28957
- tag names, keywords, titles and author fields were written into the
inline <script type="application/ld+json"> block, but escaping was applied
per-field with escapeExpression (HTML-entity encoding)
- that approach both missed fields (tag name, keywords, site title — an
Editor-controlled `</script>` broke out and executed for anon visitors,
see #28957) and corrupted the data that JSON-LD consumers read, e.g.
`Tom & Jerry` was indexed by search engines as `Tom & Jerry`
- fixed both at the correct layer: escape once on the serialised JSON at the
render sink in ghost_head (mirroring the existing `json` helper's
</>/& approach), which neutralises the script breakout for
every field, current and future, while preserving the original values for
parsers
- removed the now-redundant per-field escapeExpression calls from schema.js
so URLs, names and keywords are no longer double/entity-encoded