fix: ensure json strings are properly encoded (#520)

* Potential fix for code scanning alert no. 2: Incomplete string escaping or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* chore: bump tests

* chore: bump snapshots

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: harlan-zw

packages/unhead/src/utils/templateParams.ts

@@ -19,6 +19,7 @@ function sub(p: TemplateParams, token: string, isJson = false) {
   if (val !== undefined) {
     return isJson
       ? (val || '')
+          .replace(/\\/g, '\\\\')
           .replace(/</g, '\\u003C')
           .replace(/"/g, '\\"')
       : val || ''

packages/unhead/test/unit/client/templateParams.test.ts

@@ -132,7 +132,7 @@ describe('templateParams', () => {
     expect(await useDelayedSerializedDom()).toMatchInlineSnapshot(`
       "<!DOCTYPE html><html><head>
 
-      <title>Home &amp; //&lt;"With Encoding"&gt;\\</title><script type="application/json">{"title":"Home & //\\u003C\\"With Encoding\\">\\"}</script></head>
+      <title>Home &amp; //&lt;"With Encoding"&gt;\\</title><script type="application/json">{"title":"Home & //\\u003C\\"With Encoding\\">\\\\"}</script></head>
       <body>
 
       <div>

packages/unhead/test/unit/server/templateParams.test.ts

@@ -116,7 +116,7 @@ describe('ssr templateParams', () => {
 
     expect(headTags).toMatchInlineSnapshot(`
       "<title>Home &amp; &#x2F;&#x2F;&lt;&quot;With Encoding&quot;&gt;\\</title>
-      <script type="application/json">{"title":"Home & //\\u003C\\"With Encoding\\">\\"}</script>"
+      <script type="application/json">{"title":"Home & //\\u003C\\"With Encoding\\">\\\\"}</script>"
     `)
   })