|
|
|
|
|
|
by minitech
315 days ago
|
|
|
Yes, that option is the real “just do this”. - escape `<` as `\u003c` <script id="my-json" type="application/json">{{ escaped_json }}</script>
JSON.parse(document.getElementById('my-json').textContent)
No __proto__ issue, and no dynamic code at all, so you can use a strict CSP. |
|
|