From d4360cd107852960454c12fece72906179821ff1 Mon Sep 17 00:00:00 2001
From: William Zujkowski <williamzujkowski@gmail.com>
Date: Mon, 22 Jun 2026 23:39:18 -0400
Subject: [PATCH] fix(web): escape JSON-LD to prevent </script> breakout XSS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Schema.org Legislation JSON-LD on statute pages was rendered via
`set:html={JSON.stringify(...)}`. JSON.stringify does not escape `<`,
`>`, or `&`, and Astro's set:html adds no escaping — so a statute whose
title/classification (derived from OLRC XML) contained
`</script><img src=x onerror=...>` would terminate the JSON-LD script
element and inject live HTML.

Apply the standard safe-JSON-in-<script> escaping
(`<` / `>` / `&`) to the serialized output. Verified the
result still round-trips as valid JSON (valid JSON-LD) and no longer
contains a literal `</script>`. `astro build` passes.

Refs #200 (H1)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 apps/web/src/pages/statute/[...slug].astro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/src/pages/statute/[...slug].astro b/apps/web/src/pages/statute/[...slug].astro
index 33f7338..438e6f0 100644
--- a/apps/web/src/pages/statute/[...slug].astro
+++ b/apps/web/src/pages/statute/[...slug].astro
@@ -156,7 +156,7 @@ const readingTimeMin = Math.max(1, Math.round(wordCount / 200));
     "url": `https://civic-source.github.io${base}statute/${entry.id}/`,
     "dateModified": generated_at?.split('T')[0] ?? "2026-03-30",
     "publisher": { "@type": "Organization", "name": "Office of the Law Revision Counsel", "url": "https://uscode.house.gov/" }
-  })} />
+  }).replace(/</g, '\\u003c').replace(/>/g, '\\u003e').replace(/&/g, '\\u0026')} />
 
   <!-- Breadcrumbs -->
   <Breadcrumbs items={[