Escape meta json ld content (#10741)

Author: brophdawg11

CHANGELOG.md

@@ -13,160 +13,162 @@ We manage release notes in this file instead of the paginated GitHub Releases Pa
   <summary>Table of Contents</summary>
 
 - [Remix Releases](#remix-releases)
+  - [v2.17.1](#v2171)
+    - [Patch Changes](#patch-changes)
   - [v2.17.0](#v2170)
     - [Minor Changes](#minor-changes)
     - [Changes by Package](#changes-by-package)
   - [v2.16.8](#v2168)
-    - [Patch Changes](#patch-changes)
-  - [v2.16.7](#v2167)
     - [Patch Changes](#patch-changes-1)
-  - [v2.16.6](#v2166)
+  - [v2.16.7](#v2167)
     - [Patch Changes](#patch-changes-2)
-  - [v2.16.5](#v2165)
+  - [v2.16.6](#v2166)
     - [Patch Changes](#patch-changes-3)
-  - [v2.16.4](#v2164)
+  - [v2.16.5](#v2165)
     - [Patch Changes](#patch-changes-4)
+  - [v2.16.4](#v2164)
+    - [Patch Changes](#patch-changes-5)
   - [v2.16.3](#v2163)
     - [Security Notice](#security-notice)
-    - [Patch Changes](#patch-changes-5)
-  - [v2.16.2](#v2162)
     - [Patch Changes](#patch-changes-6)
-  - [v2.16.1](#v2161)
+  - [v2.16.2](#v2162)
     - [Patch Changes](#patch-changes-7)
+  - [v2.16.1](#v2161)
+    - [Patch Changes](#patch-changes-8)
   - [v2.16.0](#v2160)
     - [Minor Changes](#minor-changes-1)
-    - [Patch Changes](#patch-changes-8)
+    - [Patch Changes](#patch-changes-9)
     - [Updated Dependencies](#updated-dependencies)
   - [v2.15.3](#v2153)
-    - [Patch Changes](#patch-changes-9)
+    - [Patch Changes](#patch-changes-10)
     - [Updated Dependencies](#updated-dependencies-1)
   - [v2.15.2](#v2152)
-    - [Patch Changes](#patch-changes-10)
+    - [Patch Changes](#patch-changes-11)
     - [Updated Dependencies](#updated-dependencies-2)
   - [v2.15.1](#v2151)
-    - [Patch Changes](#patch-changes-11)
-  - [v2.15.0](#v2150)
     - [Patch Changes](#patch-changes-12)
+  - [v2.15.0](#v2150)
+    - [Patch Changes](#patch-changes-13)
   - [v2.14.0](#v2140)
     - [Minor Changes](#minor-changes-2)
-    - [Patch Changes](#patch-changes-13)
+    - [Patch Changes](#patch-changes-14)
     - [Updated Dependencies](#updated-dependencies-3)
     - [Changes by Package](#changes-by-package-1)
   - [v2.13.1](#v2131)
-    - [Patch Changes](#patch-changes-14)
+    - [Patch Changes](#patch-changes-15)
   - [v2.13.0](#v2130)
     - [What's Changed](#whats-changed)
       - [Stabilized APIs](#stabilized-apis)
     - [Minor Changes](#minor-changes-3)
-    - [Patch Changes](#patch-changes-15)
+    - [Patch Changes](#patch-changes-16)
     - [Updated Dependencies](#updated-dependencies-4)
     - [Changes by Package](#changes-by-package-2)
   - [v2.12.1](#v2121)
-    - [Patch Changes](#patch-changes-16)
+    - [Patch Changes](#patch-changes-17)
     - [Changes by Package](#changes-by-package-3)
   - [v2.12.0](#v2120)
     - [What's Changed](#whats-changed-1)
       - [Future Flag for Automatic Dependency Optimization (unstable)](#future-flag-for-automatic-dependency-optimization-unstable)
       - [Improved Single Fetch Type Safety (unstable)](#improved-single-fetch-type-safety-unstable)
       - [Updates to Single Fetch Revalidation Behavior (unstable)](#updates-to-single-fetch-revalidation-behavior-unstable)
     - [Minor Changes](#minor-changes-4)
-    - [Patch Changes](#patch-changes-17)
+    - [Patch Changes](#patch-changes-18)
     - [Updated Dependencies](#updated-dependencies-5)
     - [Changes by Package](#changes-by-package-4)
   - [v2.11.2](#v2112)
-    - [Patch Changes](#patch-changes-18)
+    - [Patch Changes](#patch-changes-19)
     - [Updated Dependencies](#updated-dependencies-6)
     - [Changes by Package](#changes-by-package-5)
   - [v2.11.1](#v2111)
-    - [Patch Changes](#patch-changes-19)
+    - [Patch Changes](#patch-changes-20)
     - [Changes by Package](#changes-by-package-6)
   - [v2.11.0](#v2110)
     - [What's Changed](#whats-changed-2)
       - [Renamed `unstable_fogOfWar` future flag to `unstable_lazyRouteDiscovery` (unstable)](#renamed-unstable_fogofwar-future-flag-to-unstable_lazyroutediscovery-unstable)
       - [Removed `response` stub in Single Fetch (unstable)](#removed-response-stub-in-single-fetch-unstable)
     - [Minor Changes](#minor-changes-5)
-    - [Patch Changes](#patch-changes-20)
+    - [Patch Changes](#patch-changes-21)
     - [Updated Dependencies](#updated-dependencies-7)
     - [Changes by Package](#changes-by-package-7)
   - [v2.10.3](#v2103)
-    - [Patch Changes](#patch-changes-21)
+    - [Patch Changes](#patch-changes-22)
     - [Updated Dependencies](#updated-dependencies-8)
     - [Changes by Package](#changes-by-package-8)
   - [v2.10.2](#v2102)
-    - [Patch Changes](#patch-changes-22)
+    - [Patch Changes](#patch-changes-23)
     - [Changes by Package](#changes-by-package-9)
   - [v2.10.1](#v2101)
-    - [Patch Changes](#patch-changes-23)
+    - [Patch Changes](#patch-changes-24)
     - [Updated Dependencies](#updated-dependencies-9)
     - [Changes by Package](#changes-by-package-10)
   - [v2.10.0](#v2100)
     - [What's Changed](#whats-changed-3)
       - [Lazy Route Discovery (a.k.a. "Fog of War")](#lazy-route-discovery-aka-fog-of-war)
     - [Minor Changes](#minor-changes-6)
-    - [Patch Changes](#patch-changes-24)
+    - [Patch Changes](#patch-changes-25)
     - [Updated Dependencies](#updated-dependencies-10)
     - [Changes by Package](#changes-by-package-11)
   - [v2.9.2](#v292)
     - [What's Changed](#whats-changed-4)
       - [Updated Type-Safety for Single Fetch](#updated-type-safety-for-single-fetch)
-    - [Patch Changes](#patch-changes-25)
+    - [Patch Changes](#patch-changes-26)
     - [Updated Dependencies](#updated-dependencies-11)
     - [Changes by Package](#changes-by-package-12)
   - [v2.9.1](#v291)
-    - [Patch Changes](#patch-changes-26)
+    - [Patch Changes](#patch-changes-27)
     - [Changes by Package](#changes-by-package-13)
   - [v2.9.0](#v290)
     - [What's Changed](#whats-changed-5)
       - [Single Fetch (unstable)](#single-fetch-unstable)
       - [Undici](#undici)
     - [Minor Changes](#minor-changes-7)
-    - [Patch Changes](#patch-changes-27)
+    - [Patch Changes](#patch-changes-28)
     - [Updated Dependencies](#updated-dependencies-12)
     - [Changes by Package](#changes-by-package-14)
   - [v2.8.1](#v281)
-    - [Patch Changes](#patch-changes-28)
+    - [Patch Changes](#patch-changes-29)
     - [Updated Dependencies](#updated-dependencies-13)
     - [Changes by Package](#changes-by-package-15)
   - [v2.8.0](#v280)
     - [Minor Changes](#minor-changes-8)
-    - [Patch Changes](#patch-changes-29)
+    - [Patch Changes](#patch-changes-30)
     - [Updated Dependencies](#updated-dependencies-14)
     - [Changes by Package](#changes-by-package-16)
   - [2.7.2](#272)
-    - [Patch Changes](#patch-changes-30)
-  - [2.7.1](#271)
     - [Patch Changes](#patch-changes-31)
+  - [2.7.1](#271)
+    - [Patch Changes](#patch-changes-32)
   - [v2.7.0](#v270)
     - [What's Changed](#whats-changed-6)
       - [Stabilized Vite Plugin](#stabilized-vite-plugin)
       - [New `Layout` Export](#new-layout-export)
       - [Basename support](#basename-support)
       - [Cloudflare Proxy as a Vite Plugin](#cloudflare-proxy-as-a-vite-plugin)
     - [Minor Changes](#minor-changes-9)
-    - [Patch Changes](#patch-changes-32)
+    - [Patch Changes](#patch-changes-33)
     - [Updated Dependencies](#updated-dependencies-15)
     - [Changes by Package](#changes-by-package-17)
   - [v2.6.0](#v260)
     - [What's Changed](#whats-changed-7)
       - [Unstable Vite Plugin updates](#unstable-vite-plugin-updates)
     - [Minor Changes](#minor-changes-10)
-    - [Patch Changes](#patch-changes-33)
+    - [Patch Changes](#patch-changes-34)
     - [Updated Dependencies](#updated-dependencies-16)
     - [Changes by Package](#changes-by-package-18)
   - [v2.5.1](#v251)
-    - [Patch Changes](#patch-changes-34)
+    - [Patch Changes](#patch-changes-35)
     - [Updated Dependencies](#updated-dependencies-17)
     - [Changes by Package](#changes-by-package-19)
   - [v2.5.0](#v250)
     - [What's Changed](#whats-changed-8)
       - [SPA Mode (unstable)](#spa-mode-unstable)
       - [Server Bundles (unstable)](#server-bundles-unstable)
     - [Minor Changes](#minor-changes-11)
-    - [Patch Changes](#patch-changes-35)
+    - [Patch Changes](#patch-changes-36)
     - [Updated Dependencies](#updated-dependencies-18)
     - [Changes by Package](#changes-by-package-20)
   - [v2.4.1](#v241)
-    - [Patch Changes](#patch-changes-36)
+    - [Patch Changes](#patch-changes-37)
     - [Updated Dependencies](#updated-dependencies-19)
     - [Changes by Package](#changes-by-package-21)
   - [v2.4.0](#v240)
@@ -175,19 +177,19 @@ We manage release notes in this file instead of the paginated GitHub Releases Pa
       - [`future.v3_relativeSplatPath`](#futurev3_relativesplatpath)
       - [Vite Updates (Unstable)](#vite-updates-unstable)
     - [Minor Changes](#minor-changes-12)
-    - [Patch Changes](#patch-changes-37)
+    - [Patch Changes](#patch-changes-38)
     - [Updated Dependencies](#updated-dependencies-20)
     - [Changes by Package](#changes-by-package-22)
   - [v2.3.1](#v231)
-    - [Patch Changes](#patch-changes-38)
+    - [Patch Changes](#patch-changes-39)
     - [Updated Dependencies](#updated-dependencies-21)
     - [Changes by Package](#changes-by-package-23)
   - [v2.3.0](#v230)
     - [What's Changed](#whats-changed-10)
       - [Stabilized `useBlocker`](#stabilized-useblocker)
       - [`unstable_flushSync` API](#unstable_flushsync-api)
     - [Minor Changes](#minor-changes-13)
-    - [Patch Changes](#patch-changes-39)
+    - [Patch Changes](#patch-changes-40)
     - [Updated Dependencies](#updated-dependencies-22)
     - [Changes by Package](#changes-by-package-24)
   - [v2.2.0](#v220)
@@ -196,19 +198,19 @@ We manage release notes in this file instead of the paginated GitHub Releases Pa
       - [New Fetcher APIs](#new-fetcher-apis)
       - [Persistence Future Flag](#persistence-future-flag)
     - [Minor Changes](#minor-changes-14)
-    - [Patch Changes](#patch-changes-40)
+    - [Patch Changes](#patch-changes-41)
     - [Updated Dependencies](#updated-dependencies-23)
     - [Changes by Package](#changes-by-package-25)
   - [v2.1.0](#v210)
     - [What's Changed](#whats-changed-12)
       - [View Transitions](#view-transitions)
       - [Stable `createRemixStub`](#stable-createremixstub)
     - [Minor Changes](#minor-changes-15)
-    - [Patch Changes](#patch-changes-41)
+    - [Patch Changes](#patch-changes-42)
     - [Updated Dependencies](#updated-dependencies-24)
     - [Changes by Package](#changes-by-package-26)
   - [v2.0.1](#v201)
-    - [Patch Changes](#patch-changes-42)
+    - [Patch Changes](#patch-changes-43)
     - [Changes by Package 🔗](#changes-by-package-)
   - [v2.0.0](#v200)
     - [Breaking Changes](#breaking-changes)
@@ -272,6 +274,16 @@ Date: YYYY-MM-DD
 
 -->
 
+## v2.17.1
+
+Date: 2025-09-11
+
+### Patch Changes
+
+- `@remix-run/react` - Escape HTML in `meta()` JSON-LD content
+
+**Full Changelog**: [`v2.17.0...v2.17.1`](https://github.com/remix-run/remix/compare/[email protected]@2.17.1)
+
 ## v2.17.0
 
 Date: 2025-07-25

integration/helpers/deno-template/server.ts

@@ -1,3 +1,4 @@
+// deno-lint-ignore no-import-prefix
 import { serve } from "https://deno.land/[email protected]/http/server.ts";
 import { createRequestHandlerWithStaticFiles } from "@remix-run/deno";
 // Import path interpreted by the Remix compiler

packages/remix-deno/server.ts

@@ -1,3 +1,4 @@
+// deno-lint-ignore no-import-prefix
 import * as path from "https://deno.land/[email protected]/path/mod.ts";
 import mime from "mime";
 import { createRequestHandler as createRemixRequestHandler } from "@remix-run/server-runtime";

packages/remix-deno/sessions/fileStorage.ts

@@ -1,3 +1,4 @@
+// deno-lint-ignore no-import-prefix
 import * as path from "https://deno.land/[email protected]/path/mod.ts";
 
 import type {

packages/remix-react/__tests__/integration/meta-test.tsx

@@ -219,6 +219,7 @@ describe("meta", () => {
         postalCode: "92107",
       },
       email: ["[email protected]", "[email protected]"],
+      bio: "A <b>surfer</b> & <em>coder</em>.",
     };
 
     let RemixStub = createRemixStub([
@@ -241,6 +242,9 @@ describe("meta", () => {
       container.querySelector('script[type="application/ld+json"]')
         ?.innerHTML || "{}";
     expect(JSON.parse(scriptTagContents)).toEqual(jsonLd);
+    expect(scriptTagContents).toContain(
+      "A \\u003cb\\u003esurfer\\u003c/b\\u003e \\u0026 \\u003cem\\u003ecoder\\u003c/em\\u003e."
+    );
   });
 
   it("{ tagName: 'link' } adds a <link />", () => {

packages/remix-react/components.tsx

@@ -689,7 +689,7 @@ export function Meta() {
               <script
                 key={`script:ld+json:${json}`}
                 type="application/ld+json"
-                dangerouslySetInnerHTML={{ __html: json }}
+                dangerouslySetInnerHTML={{ __html: escapeHtml(json) }}
               />
             );
           } catch (err) {