Pass the string into json_encode to properly escape it. If you’re outputting to an HTML document, make sure to pass JSON_HEX_TAG
as part of the options, to escape <
and >
and prevent a malicious user from ending your </script>
tags early and introducing an XSS exploit.