Schemaorg Cross-Site Scripting (XSS) via script break-out in toScript() output – GHSA-hwmc-r6mf-jh83 (Low) -DC-Jul2026-779

Listen to this Post

The `spatie/schema-org` package provides a fluent builder for Schema.org types and an LD+JSON generator. Affected versions (≥3.23.1, <3.23.2 and ≥4.0.0, <4.0.2) are vulnerable to Cross‑Site Scripting (XSS) due to insufficient escaping in the `toScript()` output.
The `toScript()` method is used to generate JavaScript code that embeds structured data (typically as a JSON‑LD script block) directly into HTML pages. Under normal circumstances, user‑supplied values passed into Schema.org properties are rendered inside a `` tag (e.g., </script><img src=x onerror=alert(1)>). Because the output is not sanitised, the injected `` prematurely terminates the enclosing `

Scroll to Top