# `react-doctor/unsafe-json-in-html`

Unescaped JSON in HTML or script sink

- **Category:** Security
- **Severity:** warn
- **Source:** oxlint-plugin-react-doctor
- **Framework:** global
- **Enabled when:** always

## Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm the reported code matches Unescaped JSON in HTML or script sink. Check the framework context and diagnostic message before suppressing it.

## Fix prompt

Use this once validation confirms the diagnostic is real.

JSON.stringify does not HTML-escape, so a `</script>` (or `<`) in the data breaks out and becomes XSS. Use an HTML-safe serializer (serialize-javascript, devalue) or escape `<`, `>`, and `&`, or pass data via a JSON `<script type="application/json">` read with JSON.parse.
