Skip to content
Tech News
← Back to articles

How to safely escape JSON inside HTML SCRIPT elements

2025-10-31 | original
read original get Amazon Echo → more articles

<script> tags follow unintuitive parsing rules that can break a webpage in surprising ways. Fortunately, it’s relatively straightforward to escape JSON for script tags.

Just do this

Replace < with \x3C or \u003C in JSON strings.

with or in JSON strings. In PHP, use json_encode($data, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES) for safe JSON in <script> tags.

for safe JSON in tags. In WordPress, use wp_json_encode with the same flags.

You don’t have to take my word for it, the HTML standard recommends this type of escaping:

The easiest and safest … is to always escape an ASCII case-insensitive match for “ <!-- ” as “ \x3C!-- “, “ <script ” as “ \x3Cscript “, and “ </script ” as “ \x3C/script “…

This post will dive deep into the exotic script tag parsing rules in order to understand how they work and why this is the appropriate way to escape JSON.

What’s so gnarly about a script tag?

Script tags are used to embed other languages in HTML. The most common example is JavaScript:

... continue reading

Explore topics: data escaped html script tag
Related:
The Three Pillars of JavaScript Bloat
Millions Face Mobile Internet Outages in Moscow. 'Digital Crackdown' Feared
Engineer Says It’s Time to Rebuild the Twin Towers as Giant Data Centers With Anti-Aircraft Lasers on the Roof
Grafeo – A fast, lean, embeddable graph database built in Rust
How Your Team Can Use AI to Turn Everyday Data into Extraordinary Results

© 2026 GoKawiil

About | Editorial Policy | Contact