TryGhostOSS
    Ghost
    🐛 Fixed stored XSS and mangled structured data in JSON-LD output ref https://github.com/TryGhost/Ghost/pull/28957 - tag names, post keywords, and the site title were serialized raw into the inline <script type="application/ld+json"> block, letting an Editor-controlled value like `foo</script><script>...` break out of the script element and run arbitrary JS for anonymous visitors on tag and post pages - escapes the breakout-relevant characters (< > U+2028 U+2029) as JSON \u escapes at the single serialization boundary in ghost_head, so every field is covered at once instead of relying on per-field escaping that is easy to forget - removed the per-field escapeExpression calls from schema.js: HTML-entity escaping is the wrong layer here — JSON-LD consumers (Google et al.) parse the block as JSON and never HTML-decode, so it silently corrupted structured data (e.g. `Tom & Jerry` was indexed as `Tom &amp; Jerry`). JSON \u escapes are both safe and lossless, so legitimate `& ' "` now round-trip correctly - added a regression test proving breakout is neutralised while data round-trips, and updated the snapshot/assertions that were capturing the old corruption
    nx run ghost:test:e2e
Succeeded
CI Pipeline Execution

nx run ghost:test:e2e

Click to copy
Linux
4 CPU cores
read-write access token used
b7fca53429013

© 2026 - Nx Cloud

Terms of ServicePrivacy PolicyChangelogStatusDocsContact Nx CloudPricingCompany@NxDevTools